Microsoft Graph API Work Accounts authorize with Note.Read scope need admin approval
I am trying to use Microsoft Graph API V2.0 to access user's OneNote Notebooks.
I am trying to authorize via OAuth using the follow link sample:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
response_type=code
&client_id={id}
&redirect_uri={url}
&scope=Notes.Read%20offline_access
&state={state}
When I login with a work account I get a message saying that:
{app_name} needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
And:
Message: AADSTS90094: The grant requires admin permission.
Using an admin account I have no problems.
From Notes permissions, none of Note scopes (i.e. Notes.Read, Notes.ReadWrite, Notes.Create or Notes.ReadWriteAll) require Admin Consent.
Is there any reason for this to request admin permissions?
This occurs when the Azure AD instance/tenant has disabled "Users can consent to apps accessing company data on their behalf". This is a global User Setting in Azure AD:
When this option is set to No, user's will be blocked from executing the User Consent flow:
To get around this, an Admin will either need to consent on the User's behalf or they need to re-enable the User Consent option (this is the recommended solution, there are few rational reasons to entirely turn off User Consent).
- Create Azure Key Vault backed secret scope in Databricks with AAD Token
- C# Graph api SDK V5 - Add User to multiple Groups
- Microsoft Azure doesn't return email via Oauth2 flow
- Sign in to Azure Account from VS Code
- Any luck in using AddMicrosoftIdentityWebApp in combination with IdentityServer4?
- Dotnet-Isolated Azure Functions - how to access HttpContext
- vscode-remote-ssh does not work with SSH using Azure AD authentication
- Implementing SSO for Azure AD B2C
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- "error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
- Azure AD client credentials generated token does not have claims (EDITED)
- Calling an ASP.NET Core Web API integrated to EntraId app from another .NET Core console app integrated to EntraId app fails
- Correlation failed in net.core / asp.net identity / openid connect
- Generating token for Fabric Rest api using client secret
- Permission based access control using Entra ID with ASP.NET core
- How do I display Job Title in my Next Auth app
- EntraId Authentication / Authorization via .NET & React
- Azure Function app down due to wrong routing template in http trigger binding of a functions
- How can I force trigger MFA, when logging into Azure?
- Azured AD JWT authentication doesn't work for Web API hosted in docker using TestContainer
- azp Claim Missing from Azure AD JWT
- Retrieve all Users from all Groups?
- Cannot get AAD auth token in Logic Apps
- Attempting to set DisableCustomAppAuthentication to false for Azure not working from Powershell
- Using Azure Entra Id I cant see `Office 365 Exchange Online` under `APIs my organization uses`
- New tenant b2clogin URL returns error with "removed or changed"
- Azure Entra ID tokens endpoint issues an expired token
- Azure AD B2C password expiration
- Trouble when creating PowerBI report via JavaScript Client Library
- Azure Active Directory Enterprise App OpenID and User Provisioning (SCIM)