Reputation: 1812
Microsoft Graph PowerShell requires 'admin' consent for User.Read.All, when 'Allow user consent for apps' is selected
I have a requirement to list a subset of my AAD users, identify the manager, and disable the user if the manager is already disabled.
My account has the 'User Administrator' and 'Global Reader' AAD roles.
This task is easy to accomplish using the AzureAD PowerShell cmdlets, however I want to transition to the Microsoft Graph cmdlets.
I understand that I need the scope User.Read.All so I execute the following command:
Connect-MgGraph -Scopes "User.Read.All"
When I log in via the web interface, I am shown a dialog stating that I need consent from an admin (which I understand to be a user with an AAD role of Global Administrator or Application Administrator).
In my tenant, under 'Enterprise Applications > User Consent Settings', the option 'Allow user consent for apps' is selected.
This seems like a step backwards to me. My user has the necessary permissions to perform the required actions, but because MS Graph uses an Enterprise App I need an administrator to grant consent.
My questions are:
Will the admin consent dialog appear every time I execute Connect-MgGraph with a given scope, or just the first time?
Is there a way to achieve my requirement without admin consent?
Upvotes: 1
Views: 5680
Answers (1)
Reputation: 2040
Question 1
Admin consent can be given in 2 contexts
- On behalf of a specific user
- On behalf of your organization (all users)
From the admin consent dialog box, which context it is corresponds to the checkbox Consent on behalf of your organization
If you do not give consent on behalf of the entire organization, the admin consent dialog will appear for each user, until consent has been granted either for that user, or the entire organization.
Question 2
There are 2 types of permissions
- Delegated (aka Scope)
- Application (aka Role)
All Application permissions require admin consent, and SOME delegated permissions require admin consent.
This document details which MS Graph permissions require admin consent, from the column Admin Consent Required
Microsoft Graph permissions reference
You can see that the User.Read.All delegated permission is one that does require admin consent
User.Read.All permission reference
There's no way around this without granting admin consent. This provides a way to control access to applications on a more granular level.
Upvotes: 2
Related Questions
- Error on: Connect-MgGraph -AccessToken $token -Scopes "User.ReadWrite.All"
- Microsoft Graph PowerShell SDK - Need admin approval, unverified needs permission to access resources in your organization
- Microsoft Graph: "Need admin approval" for non admin consent required scope "User.ReadBasic.All" during login
- Microsoft Graph - admin consent required for Sites.Read.All permission
- Powershell - Do "Grant Permissions" action on Azure AD Application with Powershell
- Admin consent required with only delegated permissions
- Request Denied After Getting Admin Consent on Tenant
- Trying to get administrator consent for Microsoft Graph API access
- Unable to grant admin consent for app in Azure AD despite being Application Adminstrator
- Microsoft Graph API - app in powershell - forbidden response