How Tenant Admin Consents to App Permissions?

There are two ways in which a tenant admin can consent to the app permissions your app requested for in the previous article:

  1. i) From within the Microsoft Entra ID Admin Center and
  2. ii) From within your app.

Let’s understand both these methods though the second one is the most preferred one since the tenant admin probably does not have the enough time to access Microsoft Entra ID Admin Center to approve the permissions your app is requesting for.

Note: Since you have a Microsoft 365 E5 subscription at your disposal and are in the early stages of Microsoft 365 API based app development, you can try out the app you are developing as the tenant admin too.

From within the Microsoft Entra ID Admin Center

Once you are within the App registrations page of the Microsoft Entra ID Admin Center, select the app you configured earlier. Next go to the API permissions tab and click on the Grant admin consent for MSFT option. Click Yes in the Grant admin consent confirmation message to grant all the permissions requested by the app.

Microsoft Entra App Registrations page where all your Microsoft 365 API apps get listed. Steps involved in Microsoft 365 admin granting API permissions for an app.

Once the permission is granted for the app, the status of the API permissions turns to Granted for MSFT as shown in the image.

Image highlights how the status of an api permission changes to granted when the admin grants access permission for the api.

This is the Microsoft 365 login endpoint your app should make the API call to to get the tenant admin to consent to the delegated permissions your app is requesting for. For testing purposes, you don’t need to make the API call formally from your app. You just need to use this URL and pass in your tenant ID and Client ID and see how the tenant admin can consent to the requested permissions.

Note: You should run a simple web server containing the redirect URI path you configured while setting up the app. Because this is the path to which the response gets returned. If you try to execute the below URL without running the server, you’ll run into an error.

https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?client_id={client-id}&response_type=code&redirect_uri=http://localhost:3000&scope=user.readwrite.all&response_mode=query

You’ll notice that the following in the URL:

  • You need to pass in your tenant-id and client-id. This is how Microsoft recognizes your app and the Microsoft 365 tenant it is going to connect to or integrate with.
  • Next you set the response_type parameter as code. Basically, you are asking for a code in response. This code is required to get the authentication token.
  • Then you redirect the response you get to the redirect URI ( http://localhost:3000) you setup earlier while configuring the app by declaring the redirect_uri parameter.
  • Then you pass in the user scope [permission] the users or subscribers of your app need by declaring it within the scope param as user.readwrite.all.
  • response mode – param which helps you specify how you wish to send back the code you got to Microsoft 365 in exchange for an authentication token. This is set to query, meaning you wish to send back or post the code as a query parameter in the request.

You can see how executing the above URL requests tenant admin to grant app permissions using the animated GIF below.

Steps involved in tenant admin granting access permissions for your app.

Note: You can access your app’s API permissions page within the Microsoft Entra ID admin center and confirm whether the API permission has been granted or not.

Applying for Authorization Token

Once the tenant admin has consented to your app permissions, you receive a code in the response as shown below. You’ll have to reproduce this code in order to get the authorization token (that helps you authorize your app and thereby access the protected Microsoft Graph (Microsoft 365) APIs).

http://localhost:3000/?code=0.AT0AzAza6ijktkmmds-CSj44UIdl4_ajjltFuLFKwKUX2JShAAA.AgABAAIAAADnfolhJpSnRYB1SVj-Hgd8AgDs_wUA9P--Y067a42RnwdWb5jk9YRs2EBxUi3iNsQsO_4hvhpDX2IJ8T6zV4HDWqP7X5aaARRcXkwfs8JvfrIvS9WcqnHAM-0JPYYkgyFNxvSGc6rpRowUADRpZE3OV5aGy8SI8PA3zNtSTteglvK4QfB5rX4p2fgKQ7uIkYG4YMBvLedEC5rgwuxzTQGoHCRf6PicdijF-fAedFYZAkjETHuJAQxc-77lT0kDTuQnVtmXZhf8ss4s8P_EfI6SYDouZzCJwtnIxM1SMs5-4egI5P-nT1ZT7hyTwAEAyP2SCFwVPK6RNPO2mtYfML4lYcNzyPVgQumECoHZNtDh-Xhd9GBDknyrJR3zj2fntVEEyehh8Fwt-Z8tlzJbMFwZ9IqZBt7R_F8PfyRKqgcEOx9II_qFAuImZPdzGk_vQdyVFGU2IRGwtws3ujmju_8gPOgx_
2hIvqeZO12bdLofYDut3vX8eWGeJazHXKtqlwFZh54cJWJWck5C__-MkcbnvS6YY64Abvn53eEWaKn8XXNNj0VgupDaaa7hTXl_O5gZmptm-7zFhLZ3jRWdQMC_zi83osAfmS3dkwnYfZI1MtVZA-W7qHfNsOjYbQz916nh0cr-ybloaj0UwlaN0DxIH0gkvlAQ9wAMnK1fWcy82tmMjzxjP_PPoJrHzXuy5JDMboX0gND7piArhSNlnaM
&state=12345&session_state=6f7bce09-a87c-4ff9-82b8-cf937658f2e2#

Use postman to make the API call for getting the authorization token. This is the endpoint you have to query to get the authorization token: https://login.microsoftonline.com/{your-tenant-id}/oauth2/v2.0/token. As you can see, you’ll have to pass in your tenant-id to this endpoint.

Your authentication token request should look like the one shown in the image below. It has to contain the code you received and the client_secret you generated earlier, among other things.

Demo of how the authentication token request along with the query parameters and values it should contain.

Other properties you need to pass in the request:

  • grant-type: should be set to authorization_code; basically, you are requesting Microsoft Entra ID to grant permission to access the authorization code or token generated for you app.
  • redirect_uri: redirect_uri helps you specify the page your app gets redirected to once the authorization token is received as response. For testing purposes, you could reproduce the same redirect URI you added earlier in the app.
  • scope: pass in the API permission your app needs. Example: user.read
  • client_id: you should pass in your app id here.
  • client_secret: you should pass in the client secret you generated in the app here.

Authentication Token Endpoint Response

You should receive the authentication token in the response as shown in the image. You’ll also notice the response contains app permissions too. Just like any auth token, it has an expiry time as well.

Demo of how the access token is sent back as response.

You need to make use of this authentication token in your subsequent requests to authorize your app when you query Microsoft Graph (or Microsoft 365) APIs.

This is the Microsoft 365 login endpoint your app should make the API call to to get the tenant admin to consent to the app permissions your app is requesting for. For testing purposes, you don’t need to make the API call formally from your app. You just need to use this URL and pass in your tenant ID and Client ID and see how the tenant admin can consent to the requested permissions.

https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}&redirect_uri=http://localhost:8000

Note: You should run a simple web server containing the redirect URI path you configured while setting up the app. Because this is the path to which the response gets returned. If you try to execute the below URL without running the server, you’ll run into an error while trying to grant permissions for the app as the tenant admin.

You’ll notice that the following in the URL:

  • You need to pass in your tenant-id and client-id. This is how Microsoft recognizes your app and the Microsoft 365 tenant it is going to connect to or integrate with.
  • Then you redirect the response you get to the redirect URI (http://localhost:3000) you setup earlier while configuring the app by declaring the redirect_uri parameter.

You can see how executing the above URL requests tenant admin to grant app permissions using the animated GIF below. Also notice how the admin_consent parameter is set to true, when the tenant admin grants your app the required permissions.

Note: You can access your app’s API permissions page within the Microsoft Entra ID admin center and confirm whether the API permission has been granted or not.

Demo of how the tenant admin can grant api permissions to your app.

Applying for Authentication Token

Once the admin has consented to your app permissions, your app can apply for auth token and authorize itself before it starts making Graph API calls. The endpoint for making Graph API calls is shown below.

https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id} &redirect_uri=http://localhost:8000

As you can see, you’ll have to pass in your tenant-id and client-id to this endpoint.

Use postman to make the API call for getting the authorization token. Your authentication token request should look like the one shown in the image below. It should contain the following parameters.

  • client_id – pass your app or client id here.
  • scope – set this to https://graph.microsoft.com/.default (where https://graph.microsoft.com/ identifies the resource you are querying (which is Graph API) and the /.default that follows informs Microsoft Entra ID to include in the access token all the app-level permissions the admin has consented to.
  • client_secret – you should pass in the client secret you generated in the app here
  • grant_type - should be set to client_credentials; basically, you are requesting Microsoft Entra ID to grant authorization token for your client credentials.
Demo of how access token is returned as response.

What’s Next?

Now that you know how tenant admins can consent to your app permissions and how your app can get the authorization token required to authorize itself, in the next article, let’s understand how your app can query Microsoft 365 tenant (via Microsoft Graph API) to get the data it requires.

© m365corner.com. All Rights Reserved. Design by HTML Codex