Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

In the Microsoft Graph API, can an app with admin consent generate a token for a different user than the admin that approved it?

I have a multi tenant app registered in Microsoft Active Directory that uses admin consent to gain access to some application scope APIs in the Microsoft Graph API. It uses the /token endpoint to get a token, then calls those Graph APIs. It's working perfectly. https://docs.microsoft.com/en-us/graph/auth-v2-service#token-request

Now I want to enhance my app to access some delegated (user) scope APIs, that do not allow access at application scope. My app is already configured to request these delegated permissions from the admin at admin consent time. But I'd like to call these APIs as each user in the directory, not the admin who installed my app.

Importantly, it is not feasible for me to have every user in the organization individually go through the OAuth flow for my app.

Is that possible? Can I impersonate a user somehow by exchanging my application token for a user token? Can the admin do something programmatically to generate tokens as individual users for my app as if they had been put through an OAuth flow?

like image 796
Rich Sutton Avatar asked Jan 11 '20 00:01

Rich Sutton


1 Answers

No, you cannot convert an Application token to a Delegated token. The only way to act as a specific User is for that User to "delegate" those activities to your application.

Note that Admin Consent only provides consent to your App to operate within a tenant. It is destinct from, not a superset of, User Consent. In order to obtain a Delegated token, you need to receive both User and Admin consent.

like image 114
Marc LaFleur Avatar answered Sep 18 '22 21:09

Marc LaFleur