I cannot use permissions of an application that the user install for automated calls?

Question

HI everyone!

So I'm having this issue where I'm creating a basic app to send teams url to users.

Here's how it should work:

1. Launching the app for the first time
2. checking if user has ever signed in
3. Ask them to sign in and link their account to the app via oAuth
4. give them an url
5. Next time they want to create a meeting, we just use the fact that they have already consented to us creating a meeting in their behalf

Problem is, part 5 is not working yet. When trying to create the graphserviceclient, all starts up nicely until the request where I get a 403 forbidden. Problem is, how can i be forbidden to do what the user already consented to? My current lead is that the scopes url we use is the wrong one.

We currently use this one: "https://graph.microsoft.com/.default" because it's the only one not giving us the result that we didn't install the app for said user (we checked our azure app databse, the user is inside). So yeah if you have any ideas, maybe the correct format for the url that we need to use (it needs to end with /.default)?

Thanks in advance!

Answer 1

Hi @Louis TONNEVY

The /.default is a static consent that will contain all permissions that have been granted to the application in the tenant, it is usually used in daemons without user interaction. But it can't do dynamic consent, if you haven't granted the Calendars.ReadWrite permission to the app on behalf of the organization, then when you use /.default, that permission won't be present in the access token, which is what causes the 403.

So if you're doing dynamic consent then you can change the scope to:

scope="Calendars.ReadWrite offline_access"

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.