Add & Register application
Go to Azure AD service -> App registrations > New registration
- Name — Enter a meaningful application name
- Supported account types — Select which accounts you would like your application to support.
- Redirect URI (optional) — Select the type of app you’re building, Web or Public client (mobile & desktop), and then enter the redirect URI (or reply URL) for your application.
Permissions and consent in the Microsoft identity platform endpoint
The Microsoft identity platform implements the OAuth 2.0 authorization protocol.
We can define different types of permissions to provide fine-grained control over its data and how API functionality is exposed. A third-party app can request these permissions from users and administrators, who must approve the request before the app can access data or act on a user’s behalf.
In OAuth 2.0, these types of permissions are called scopes. They are also often referred to as permissions.
Permission types
- Delegated permissions are used by apps that have a signed-in user present. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
- Application permissions are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.
Requesting individual user consent
In an OpenID Connect or OAuth 2.0 authorization request, an app can request the permissions it needs by using the scope query parameter. For example, when a user signs in to an app, the app sends a request like the following :
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read%20
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345The scope parameter is a space-separated list of delegated permissions that the app is requesting. In the request example, the app needs permission to read the user's calendar and send mail as the user.
Requesting consent for an entire tenant
An administrator can grant consent for the application to act on behalf of any user in the tenant. If the admin grants consent for the entire tenant, the organization’s users won’t see a consent page for the application.
To request consent for delegated permissions for all users in a tenant, your app can use the admin consent endpoint.
Admin-restricted permissions
Some high-privilege permissions in the Microsoft ecosystem can be set to admin-restricted.
Examples :
- Read all user’s full profiles by using
User.Read.All
Examples :
Read all user’s full profiles by using User.Read.All
- Write data to an organization’s directory by using
Directory.ReadWrite.All - Read all groups in an organization’s directory by using
Groups.Read.All
If your app requires access to admin-restricted scopes for organizations, you should request them directly from a company administrator, also by using the admin consent endpoint, described next.
If the application is requesting high privilege delegated permissions and an administrator grants these permissions via the admin consent endpoint, consent is granted for all users in the tenant.
Using the admin consent endpoint
When a Company Administrator uses your application and is directed to the authorize endpoint, Microsoft identity platform will detect the user’s role and ask them if they would like to consent on behalf of the entire tenant for the permissions you have requested. However, there is also a dedicated admin consent endpoint you can use if you would like to proactively request that an administrator grants permission on behalf of the entire tenant.
Request the permissions in the app registration portal
Applications are able to note which permissions they require (both delegated and application) in the app registration portal. This allows use of the /.default scope and the Azure portal's "Grant admin consent" option. In general, it's best practice to ensure that the permissions statically defined for a given application are a superset of the permissions that it will be requesting dynamically/incrementally.
To configure the list of statically requested permissions for an application
- Go to your application in the Azure portal — App registrations experience, or create an app if you haven’t already.
- Locate the API Permissions section, and within the API permissions click Add a permission.
- Select Microsoft Graph from the list of available APIs and then add the permissions that your app requires.
- Save the app registration.
Request the permissions from a directory admin
When you’re ready to request permissions from your organization’s admin, you can redirect the user to the Microsoft identity platform admin consent endpoint.
HTTPCopy
// Line breaks are for legibility only.
GET https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope=
https://graph.microsoft.com/calendars.read
https://graph.microsoft.com/mail.sendSuccessful response
If the admin approves the permissions for your app, the successful response looks like this:
HTTPCopy
GET http://localhost/myapp/permissions?tenant=a8990e1f-ff32-408a-9f8e-78d3b9139b95&state=state=12345&admin_consent=TrueUsing permissions
After the user consents to permissions for your app, your app can acquire access tokens that represent your app’s permission to access a resource in some capacity.
HTTPCopy
POST common/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/json{
"grant_type": "authorization_code",
"client_id": "6731de76-14a6-49ae-97bc-6eba6914391e",
"scope": "https://outlook.office.com/mail.read https://outlook.office.com/mail.send",
"code": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq..."
"redirect_uri": "https://localhost/myapp",
"client_secret": "zc53fwe80980293klaj9823" // NOTE: Only required for web apps
}
