Reputation: 461
Why I am able to access the users of a different tenant without adding any API permission to application in Azure Portal?
I created an application named MyApp in my Tenant A with multitenant access. Also, I didn't add any API permissions to it in Azure Portal. I also removed default User.Read permission.
After that, I implement a backend project with using msal4j library. In backend code, I sent harcoded scope Directory.ReadWrite.All.
After that, I run the backend project. The project showed Microsoft sign in pop up in the browser. I provided the credentials of admin of another tenant named B(Tenant B have 16 users). After the successful sign in, the Permission Requested pop-up showed, It was written a description about the Directory.ReadWrite.All. This was normal since I was add Directory.ReadWrite.All as a scope in my backend code.
After approving that requested permission as an admin of Tenant B. I can list the 16 users of the Tenant B with GET /users endpoint of the Microsoft Graph API. So, the MyApp which was created in Tenant A could access the users of Tenant B.
However, how it was possible? Because I didn't add any API permission to my MyApp in the Azure Portal. You can see above screnshot that is empty. I expected to get an error like "Insufficient privilege" when accessing the GET /users endpoint. But I didn't. I can successfully access the all 16 users although I didn't add the Directory.ReadWrite.All API permission in the Azure Portal into MyApp.
If sending Directory.ReadWrite.All as scope from backend project is enough to access to GET /users endpoint. Why we want to use API permissions in the Azure Portal?
Upvotes: 0
Views: 172
Answers (1)
Reputation: 58898
The Azure portal permissions are what we call static permissions.
You use them with the ".default" special scope, e.g. https://graph.microsoft.com/.default.
When you specify a scope in the authentication request, that is a dynamic permission. It is a feature of the newer v2 endpoint that allows you to request the needed permissions at runtime instead of ahead of time. It's pretty nice for multi-tenant apps since updating permissions can be done more easily, and you can implement optional features better (that require additional permissions).
Docs: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent and https://learn.microsoft.com/en-us/azure/active-directory/develop/consent-framework
Upvotes: 1
Related Questions
- Azure API permissions for Graph API
- API Permissions - Microsoft Graph API
- MS Graph API permission for multiple tenant
- Unauthorised application able to get the access of users in Azure Graph API
- Permissions for Azure app using Microsoft Graph to read SharePoint Online
- Azure AD application permissions: Is it possible to get permissions which comes under "Other permissions granted for tenant"?
- Microsoft Graph API: Getting ErrorAccessDenied for multi-tenant application with application permission
- Azure Active directory API permissions
- Why do i need to create a Multi-Tenant App?
- Azure AD Consent from a different Tenant