{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 萌系小妹纸 的问题《How to get Microsoft Graph APIs group related perm》','https://www.manongdao.com/q-669342.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
We are working on an App to integrate with Microsoft graph API. Now I can sign in with Microsoft Graph API with user's grant accesses such as to read user's profile etc, for both a work account and personal account. We want to read user's group information if it's a Microsoft work account. From the doc, to read user's group info, we need the administrator's consent. But how do we get that? I searched around but failed to get the answer. Do we need to contact each tenant's administrator to get them authorize our app?
From this link group section, it seems we can't get the group permission when user signing in clicking accept button. May I ask how long it takes if you want to support that?
With the V2.0 endpoint, we can specify the permissions your app needs dynamically, at runtime, during regular usage of your app. To do so, we can specify the scopes your app needs at any given point in time by including them in the scope parameter of an authorization request:
And to give the consent for the scope which need admin, we need to ensure that the login-in account has the administrator privilege. More about the v2.0 endpoint you can refer to here.
Fei's answer is technically correct. I suspect however that the confusion here has more to do with the meaning of "administrator's consent" than how to request those scopes.
When we talk about "administrator's consent" we are really saying that those scopes can only be used when the user login in as administrative privileges. It does not mean that an Administrator needs to give consent to a User before they can be enabled.
Before your application can use admin-restricted scopes, you need the administrator to consent. Once an administrator of a tenant has consented, you will be able to successfully request those scopes for users in that tenant. For more information, see this topic on admin-restricted scopes and how to send a request for admin consent: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#admin-restricted-scopes. Yes, you'll need the admin of each tenant using your app to do this.