Reputation: 1760
Microsoft Office365 APP graph api - nodejs
Trying to build a web app but finding different documentation all over the place and they all say something different. I would like to get a list of all rooms and meetings under office365 azure active directory.
I'm now reading the following https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes but I'm confused on the following two options.
- Requesting individual user consent
- Request the permissions from a directory admin
Do you use one or the other? or are they meant to be used in sequence? if i only use option 2, do i need a token? how is this requested?
Cheers
Upvotes: 0
Views: 267
Answers (1)
Reputation: 27588
In azure ad v2.0 , an app can request the permissions it needs by using the scope query parameter . After the user enters their credentials, the v2.0 endpoint checks for a matching record of user consent. If the user has not consented to any of the requested permissions in the past, the v2.0 endpoint asks the user to grant the requested permissions. That is user consent .
On the other hand , an administrator can grant consent for the application to act on behalf of any employee. If the admin grants consent for the entire tenant, the organization's employees won't see a consent page for the application. That means after admin consent , user consent is not needed during the OpenID Connect or OAuth 2.0 authorization request .
There are high-privilege permissions in the Microsoft ecosystem can be set to admin-restricted such as microsoft graph 's Directory.Read , when your app requires access to admin-restricted scopes for organizations, you should request them directly from a company administrator, also by using the admin consent endpoint . In that scenario, user consent is not enough , you need to do admin consent . When an administrator grants these permissions via the admin consent endpoint, consent is granted for all users in the tenant (no user consent after admin consent ) .
After admin consent , you could use OAuth 2.0 & OpenID Connect protocols to acquire token for accessing protected resources, such as web APIs.
Upvotes: 1
Related Questions
- Microsoft Graph API in particular active directory OU
- Azure ad graph api
- Microsoft Azure AD Applications
- Microsoft Graph API - Create App (beta)
- Azure App with Web API and Microsoft Graph
- SharePoint + Azure AD + Microsoft Graph API
- Office 365 Access via Graph API
- Azure Active directory Sharepoint & Graph API
- Azure Active Directory App - Unable to access MS Graph Mail
- Azure Active Directory Users and SaaS Application using Microsoft Graph Api