Can M365 Group provide admin consent for external application permissions to make Graph API calls?

Victor-4714 0 Reputation points
2023-03-17T05:13:14.2266667+00:00

Hi,

I face the following issue when an external vendor is requesting Global Admin to accept admin consent tenant-wide for application to pull data via Graph API for only <10 users. Can I instead use an M365 Group Admin to provide the admin consent?

Conditions:

  • These permissions must still work: chat.read.all, group.read.all, user.read.all, team.readbasic.all, channelmessage.read.all, onlinemeetings.read.all
  • M365 Group Admin must be able to grant Admin Consent based on Microsoft's Identity Platform for Graph API access
  • I intend to get the vendor to send my M365 Global admin the link below: https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}
  • I want to avoid Global Admin consent for shall a small subset of my users
  • I don't think this is for Enterprise Apps

If not, is there anyway I can allow this application to pull data for specific subset of users without requiring a redesign of the vendor's application (i.e. a loop to pull data for those users individually).

Any help is much appreciated.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
611 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,590 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 36,896 Reputation points
    2023-03-17T09:55:42.8+00:00

    Hi @Victor Chin

    1.You must make sure that the external application is a multi-tenant application.

    2.Group admins can't grant admin consent, only global admins can grant admin consent on behalf of the organization.

    After you grant admin consent, the multi-tenant app will join your tenant as an enterprise app with all the permissions you consented for the app.

    https://login.microsoftonline.com/{id of the target tenant}/adminconsent?client_id={client id}

    User's image

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.