Alternative to Groups.ReadBasic.All - access Groups without Admin consent [closed]

Question

I have an application that uses Azure AD to access Microsoft Graph without Admin Consent.

I would like to introduce the Office 365 Groups capabilities into my app to manage the visibility of my application objects. Basically, I need two things using delegated scopes without Admin Consent:

• The user must be able to see basic information for groups in the tenant
• Check whether or not the current user belongs to a given group

I see two approaches:

1. Wait for Groups.ReadBasic.All

   Indeed, Groups.Read.All does require Admin Consent so it is not possible to use it right now in our scenario. My question is then, is such a scope is planned for Microsoft Graph?

2. Limit the Group management feature to Admin only.

   I could limit the Group management capabilities to Administrators or wait for Admin Consent but the rest of the application must be still available for non-Admin Consent workflows. Is there a way to achieve this?

   The only way I see this is to have two distinct applications registered in Azure AD: myApp and myApp - Extended Permissions. However, I do not believe this is the right way to go to have two Azure AD apps for the same logical app.

Answer 1

#1 is on the cards, but I cannot give you a concrete ETA right now, but I'm hoping it'll be available soon. That should give you what you are after.

On #2, this is possible, and it's a feature we call incremental or dynamic consent. It's only available through the new v2 authentication endpoint. As part of the authorize request you can specify the permission scopes you need, - in subsequent requests you can ask for additional scopes. However in your case, the additional scope you want is a scope that you want the admin to consent on behalf of the organization for. This isn't quite possible yet, but is also coming soon. It might be that #1 and #2 land around the same time ;)

We'll update this thread when #1 and #2 are available.