Api Permission not being activated by consent

Linden ROTH 96 Reputation points
2021-05-26T08:46:43.74+00:00

We are using AD to allow end user to login to a 3rd party application

We are using User Schema Extension fields to hold 3rd Party,

Issue major
I cannot update any of the extension fields despite having User.ReadWrite (and other permissions) set and consented to UNLESS I use a User Administrator account
A regular user reports Forbidden - it would appear I'm missing something

Minor issue
is there a way to limit normal user update to a single field of the Schema Extension

I have supplied some screen shot to azfretrl@microsoft.com

LINDEN

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,365 questions
{count} votes

Accepted answer
  1. Linden ROTH 96 Reputation points
    2021-06-24T07:23:23.187+00:00

    RESOLVED - the solution is to us an application token rather that the user level token

    POST https:// login.microsoftonline.com/401e70.....d0/oauth2/v2.0/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded

    client_id= ce...b
    &scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
    &client_secret= K1e....u
    &grant_type=client_credentials

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. James Hamil 24,311 Reputation points Microsoft Employee
    2021-06-07T22:27:58.813+00:00

    Hi @Linden ROTH ,

    "I cannot update any of the extension fields"

    You should use these 2 permissions - Application.ReadWrite.All, Directory.AccessAsUser.All, to be able to update User Schema Extension fields. Currently you are only using User.ReadWrite. Reference: Permissions for User Schema Extensions.

    "is there a way to limit normal user update to a single field of the Schema Extension"

    For delegated flows, the signed-in user can update a schema extension as long as the owner property of the extension is set to the appID of an application the signed-in user owns. That application can be the one that initially created the extension, or some other application owned by the signed-in user - Update Schema Extension. User with required permissions can change the fields in schema extensions.Reference: schema extension service limit restriction.

    Please let me know if you have any questions!

    If this answer helped you please mark it as "Verified" so other users may reference it.

    Thank you,
    James


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.