Can M365 Group provide admin consent for external application permissions to make Graph API calls?

Victor-4714 0 Reputation points
2023-03-17T05:13:14.2266667+00:00

Hi,

I face the following issue when an external vendor is requesting Global Admin to accept admin consent tenant-wide for application to pull data via Graph API for only <10 users. Can I instead use an M365 Group Admin to provide the admin consent?

Conditions:

  • These permissions must still work: chat.read.all, group.read.all, user.read.all, team.readbasic.all, channelmessage.read.all, onlinemeetings.read.all
  • M365 Group Admin must be able to grant Admin Consent based on Microsoft's Identity Platform for Graph API access
  • I intend to get the vendor to send my M365 Global admin the link below: https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}
  • I want to avoid Global Admin consent for shall a small subset of my users
  • I don't think this is for Enterprise Apps

If not, is there anyway I can allow this application to pull data for specific subset of users without requiring a redesign of the vendor's application (i.e. a loop to pull data for those users individually).

Any help is much appreciated.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
715 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,455 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. CarlZhao-MSFT 43,011 Reputation points
    2023-03-17T09:55:42.8+00:00

    Hi @Victor Chin

    1.You must make sure that the external application is a multi-tenant application.

    2.Group admins can't grant admin consent, only global admins can grant admin consent on behalf of the organization.

    After you grant admin consent, the multi-tenant app will join your tenant as an enterprise app with all the permissions you consented for the app.

    https://login.microsoftonline.com/{id of the target tenant}/adminconsent?client_id={client id}

    User's image

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.