How do I determine if the logged in user is an O365 admin, able to use (prompt=admin_consent)

Question

I want to hide the administrative portal / enrollment process from end users, and also want to prevent this Dead End GUI from appearing, if the user is not an administrator. (the only possible user flow is to hit Back a few times... bad UX)

AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators

To workaround this UX issue, I want the user to

1. Sign in first as an Org Admin
2. Once a proper account is signed in, I'll ask them to provide consent via the prompt=admin_consent attribute

Question

How can I see if the logged in user is an admin of some org, and ideally, the display names, and OrgID(s)* they are an admin of.

**I believe it's possible to be an admin of more than one AzureB2C or Azure AD directory.

Answer 1

To check whether the user is the admin of that tenant, we can use the Azure AD Graph REST. We can use the REST below to get all the roles/groups user assigned.

GET: https://graph.windows.net/adfei.onmicrosoft.com/me/memberOf?api-version=1.6

And if user was assigned to the Global Admin to a tenant, we can get the response like below and we can check this role using roleTemplateId property with value 62e90394-69f5-4237-9190-012177145e10.