Reputation: 83
What does "Admin Only" mean for application permissions in Microsoft's Application Portal?
We have registered an application into Microsoft's Application Portal and I am trying to grant Mail.Read and User.Read application permissions to my app, but each permission when added shows "Admin Only", for example "Mail.Read (Admin Only)". Consequently, my application gets a 401 Unauthorized no matter what the request is. I'm not an administrator of the portal, just an owner of the application, but I am really confused as to why this "Admin Only" component is added to my application permissions.
Any help on this would be much appreciated, we have been blocked for days and Microsoft has not provided any support.
Upvotes: 1
Views: 1136
Answers (2)
Reputation: 156
This is due to the requirements of scope consent in the Microsoft Graph. Microsoft Graph has numerous permission scopes, each with a specific resource that scope would allow an application to access. When registering an application in the Azure AD portal, and the App Registration portal, the scopes are visible as well as the requirement Admin required column. That column indicates the permission a user must possess in the Tenant in order to "Grant" access for that scope on the application. This is referred to a lot of times as "Admin Consent". Typically, these scopes require your tenant administrator go into the Application Registration and Grant Consent to the scopes required for the application. The concepts of Admin Restricted Scopes can be found in the Azure AD Developer Documentation for Scopes.
Upvotes: 0
Reputation: 557
I am assuming you want to get access to graph without a user. The documentation specifies for this grant flow, that you need an administrator of the organization to consent to your app/the permissions your app needs.
Application permissions always require administrator consent. An administrator can either consent to these permissions using the Azure portal when your app is installed in their organization, or you can provide a sign-up experience in your app through which administrators can consent to the permissions you configured.
The reason for this is security. Mail.Read for example gives the app permission to read the mails of every user in the organization.
Upvotes: 1
Related Questions
- What does "grant admin consent" button do in azure Azure Active Directory application?
- Graph API permission for non-admin
- How does admin consent work for azure apps?
- Admin aproval required even for basic microsoft graph permissions
- MSgraph - Application Rights vs Delegated rights
- Which admin/admin role is required when getting admin consent for your app?
- App needs permission to access resources in your organisation that only an admin can grant
- How does an admin grant access to an app?
- Microsoft Graph API, app-only permissions
- Microsoft Graph API Permissions for non-admins?