Share via

How do I limit access to API endpoints if a logged in user does not have an admin role

Nicolas Ranz 0 Reputation points
2024-09-19T19:43:47.25+00:00

I'm creating an employee management application and I registered my app and have given the application delegated api access to Microsoft Graph Directory.AccessAsUser.all. I would like to restrict access to this api endpoint if the logged in user does not have admin permissions.

I don't think this matters but just in case, its an angular application, and I have used MSAL for authentication of users.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rohit Raghuwanshi - MSFT 625 Reputation points Microsoft External Staff
    2024-09-20T07:21:06.9433333+00:00

    Hi Nicolas Ranz,

    Thank you for reaching out, Microsoft!

    Delegated permissions in Microsoft Graph allow the application to act on behalf of the signed-in user, and the user must have the necessary permissions to access the resources. If the user does not have admin permissions, they won’t be able to access the Directory.AccessAsUser.All endpoint. You can rely on the built-in permission model to restrict access. However, if you want to add an extra layer of validation within your application, you can still check the user’s roles using the Microsoft Graph API /memberOf endpoint to get the groups and directory roles the user is a member of.

    Please refer the below screenshot where one user is admin and able to access directoryObject and the other is user who is not admin is not able to consent the **Directory.AccessAsUser.All **as it Admin consent.
    User's image

    User's image

    For more details, on permissions please refer below docs:

    https://learn.microsoft.com/en-us/graph/permissions-reference#directoryaccessasuserall
    https://learn.microsoft.com/en-us/graph/auth/auth-concepts#delegated-access-access-on-behalf-of-a-user
    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments
  2. Vasil Michev 123.5K Reputation points MVP Volunteer Moderator
    2024-09-20T09:01:01.01+00:00

    The only thing to do that would be to decode the token and check for the assigned admin roles therein (wids claim). Alternatively, your application will need sufficient permissions to read directory role assignments.

    Keep in mind that the Directory.AccessAsUser.All permission is a highly-privileges one and not many organizations would agree to grant it.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.