Update to Graph API consent permissions

  • Article

Folks,

We’re letting you know that we made a change yesterday to one of the Graph API permission scopes.  The “Access your organization’s directory” delegated permission now requires an administrator to consent to this permission scope, for a web application.  This permission scope, once granted, allows the application to fully impersonate the signed in user to the Graph API. Previously users were able to consent to this permission scope.

NOTE:   This does not affect a user’s ability to consent to native client applications that request this permission.  Nor does it affect any consent grants that have already been made.

End users who attempt to consent to web applications that request the “Access your organization’s directory” will see the following error.  They must now ask their IT administrator to consent to the application on their behalf.

AADSTS90093: User cannot consent to web app requesting user impersonation as an app permission.

Why we made this change

This change was made based on guidance from our security team.  The “Access your organization’s directory” permission is a tenant-wide permission scope that should not be granted to a web application without oversight by an IT administrator, since it gives broad access to the user’s directory.  The IT administrator is in a better position to make a decision about the trustworthiness of the web application, before granting consent.  Details on the supported Graph API scope permissions can be found here: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Graph.

Do I need to make any changes to my web app?

If you want to continue to offer user consent for your web application, then you'll need to go to the Azure Management Portal and remove the “Access your organization’s directory” permission from the "permissions to other applications" section in your application's configuration. You may also need to update your code so that the application can only query the Graph API for the signed-in user’s details only.

On the other hand, if your web application relies on the additional level of access offered by the “Access your organization’s directory” permission, then you'll require administrator permission for your application.  This means that you may need to offer a "sign my company up" button experience to force administrator consent.  This is described here: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Granting