How does an admin grant access to an app?

2019-08-06 04:48发布

I have made a web app that using Microsoft Graph and the scopes profile, openid, email and User.Read. This works fine.

I now want to include offline_access, User.Read, Mail.Send, Calendars.ReadWrite, Directory.ReadWrite.All, Directory.AccessAsUser.All, User.Read.All, Files.ReadWrite.All, Files.Read, Files.ReadWrite, and Sites.Read.All scopes.

When trying to login I get the message:

You can't access this application.

Tutorial Sample App needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

I registered the app at https://apps.dev.microsoft.com/ and have these Graph Permissions set:

enter image description here

Using PHP, I use the following

use Microsoft\Graph\Graph;
use Microsoft\Graph\Model;
const CLIENT_ID          = 'xxx';
const CLIENT_SECRET      = 'xxx';
const REDIRECT_URI       = 'xxxx';
const AUTHORITY_URL      = 'https://login.microsoftonline.com/common';
const AUTHORIZE_ENDPOINT = '/oauth2/v2.0/authorize';
const TOKEN_ENDPOINT     = '/oauth2/v2.0/token';
const SCOPES             = 'profile openid email offline_access User.Read Mail.Send Calendars.ReadWrite Directory.ReadWrite.All Directory.AccessAsUser.All User.Read.All Files.ReadWrite.All Files.Read Files.ReadWrite Sites.Read.All';

and to create the authorisationUrl

$authorizationUrl = $provider->getAuthorizationUrl();

So, how can I get admin to grant access?

1条回答
淡お忘
2楼-- · 2019-08-06 04:54

In order to obtain Admin Consent, you need to have an Admin for the tenant authenticate against the /adminconsent. The prototype for this URL is (line-break for readability only):

https://login.microsoftonline.com/common/adminconsent?
client_id=[APPLICATION ID]&redirect_uri=[REDIRECT URI]

I've written a blog post on this that will help walk you through how this works: v2 Endpoint and Admin Consent.

查看更多
登录 后发表回答