Confusion arises when using Graph, Office combined permission to get access Token
ZhuXiaoBing-cn opened this issue · 2 comments
When I try to get an access token by using the combined Graph and Office permissions, I need to conduct administrator approval.
Here is my configuration on the portal,
I used postman to get an access token, and the scope looks like this,
As you can see, I did not configure Calendar.Read in Microsoft Graph on portal. Sending a request results in the interface like this.
But if my scope is only Microsoft Graph's Calendar.Read in the postman, it shows the following interface.
This is where I get confused.
Why is the interface approved by the administrator when graph and Office are combined, but the display consent interface when Graph is used alone?
Is this the effect of unconfigured Calendars.Read under Microsoft Graph?
Can you give me some help?
@ZhuXiaoBing-cn If you add Calendars.Read on the Azure portal, you'll see that Admin Consent is not required, and thus why you see the difference. See picture below.
When you add activityfeed.Read and Calendars.Read, you'll need admin approval, because activityfeed.Read requires it. If you remove activityfeed.Read, you no longer need admin consent, and user is able to consent via the UI that showed.
By the way, ADAL has been deprecated, and we recommend that everyone uses MSAL, which has an improved API and support for more scenarios.
@sangonzal Thank you for your reply and suggestions. These are helpful to me.