Application using Read vs ReadWrite Oauth application Scopes, why does ReadWrite require admin approval and Read Doesnt?

hellogr 1 Reputation point
2020-04-30T23:40:50.103+00:00

My 3rd party Application (I am an ISV) using Read vs ReadWrite Scopes (delegate), why does ReadWrite require admin approval and Read Doesnt?

My application uses Oauth to authenticate and grant Microsoft Calendar permissions to my application to both consumer and enterprise users/tenants.

When I use the Calendars.ReadWrite, consumer users are automatically prompted to grant access (user consent), but enterprise users are shown "Need Admin Approval" when trying to connect. Similar to this: https://i.stack.imgur.com/FZbrH.png

When I only use "Calendars.Read" scope permissions on the app both consumer and enterprise users are prompted to grant access (the desired state).

I realize Read vs ReadWrite are different permissions, where in the documentation does it say that ReadWrite requires Admins to "approve" the app vs Read only does not require such approvals?

According to this no admin consent required?
https://www.screencast.com/t/okUuEzJD

Please advise. Thanks you.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,718 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Ryan Hill 16,076 Reputation points Microsoft Employee
    2020-05-01T04:54:58.867+00:00

    You have allow user consent for enterprise applications under your tenant. You'll get the Admin Approval message when it's set to 'No'.

    7897-2020-05-01-00-47-41-clipboard.png


  2. Anuj Rana 206 Reputation points
    2020-05-27T06:22:30.003+00:00

    Hi,

    I am curious about following statement : When I use the Calendars.ReadWrite, consumer users are automatically prompted to grant access (user consent), but enterprise users are shown "Need Admin Approval" when trying to connect.

    Do you mean B2B (GUEST ) users are able to provide consent for Calendars.ReadWrite while member users of that AAD requires admin consent ? If this is true, did you review the recent preview for consent and permissions ? You can now control which permissions can be forced for admin consent while allowing low impact permissions with user consent.

    8704-permissions.png

    Let me know if this helps !

    No comments