1. I noticed that if i don't add delegated api permissions to my app registration and request explicit scopes during auth like 'File.ReadWrite' instead of the './default', if the user consents the app still works. I am confused because to some extent i expected this to not work, as the permissions were not allowed by admin in the app registration. Why does it work?

2. if i do use './default' and a new scope is added later by the admin, if the old scopes were granted and a user oauth is retriggered, it will not ask the user for consent again and instead generate a token with the old scopes only -- that is why i explicitly used option 1 but ran into the above caveat

1. I noticed that if i don't add delegated api permissions to my app registration and request explicit scopes during auth like 'File.ReadWrite' instead of the './default', if the user consents the app still works. I am confused because to some extent i expected this to not work, as the permissions were not allowed by admin in the app registration. Why does it work?

2. if i do use './default' and a new scope is added later by the admin, if the old scopes were granted and a user oauth is retriggered, it will not ask the user for consent again and instead generate a token with the old scopes only -- that is why i explicitly used option 1 but ran into the above caveat

• azure-active-directory
• microsoft-graph-api

• Please provide enough code so others can better understand or reproduce the problem. – Community Bot Commented Feb 6 at 19:03
• When you request specific scopes (like File.ReadWrite) during authentication, Azure AD allows dynamic consent based on what the user grants, even if those permissions aren't pre-registered in the app. However, when using ./default, it uses the permissions defined in the app registration, and new permissions won’t take effect unless the user reconsents in a new OAuth flow after the app registration is updated. – Rukmini Commented Feb 7 at 3:31
• @Rukmini the issue is that, the user consent popup won't show up -- as the docs say that " If at least one delegated permission was granted for Microsoft Graph on behalf of the signed-in user, the sign-in continues. " What if the user has consented for 1 permission, then they won't be prompted for the other one if they try to re-auth later and a token would be generated with only the old permissions. That is why i actually changed the ./default method to individually request scopes instead, but ran into the above weird issue Which would you recommend? – codex Commented Feb 7 at 8:56
• When I tried the same I got Need admin approval error – Rukmini Commented Feb 7 at 9:17
• @codex Please update your questions with the details shared in the comments so the community can better understand your actual request, the efforts you've made, and any blockers you're facing. – Naveen Sharma Commented Feb 7 at 9:34

1 Answer 1

Note that: If you explicitly request File.ReadWrite but haven’t configured this permission in your app registration, Azure AD will throw an error.

• When you use a scope like Files.ReadWrite, your app registration needs to include the corresponding permission.

I created a Microsoft Entra ID application, dint not grant any API permission except User.Read:

Now, I tried to use the below endpoint to authorize users:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=Files.ReadWrite
&state=12345

When I logged in as a user, I got the error:

When I tried to request explicit scopes which is not added to application that is Files.ReadWrite I got the error.

But a when I signed with Global Admin, I got the consent screen as Global admin can grant the permission on behalf of users:

If the Global admin clicks on `Consent on behalf of your organization':

The Files.ReadWrite API permission will be added under Other permissions granted for TenantName

Make sure to set user and consent settings as "Do not allow user consent"

And if the API permission is granted under other permissions granted, then the user will be able to explicitly call the permissions.

• The Global Admin consent on behalf of the organization is the key mechanism that makes your app work with permissions that were not initially configured in the app registration.
• If you use the ./default scope and new permissions are added later, users won't be asked for consent again once those permissions are granted by the Global Admin, as long as the user has an active token.

The issue you are facing is because, you have set the user and consent settings as "Allow user consent for apps":

And when I tried I got the user consent screen for the API permission which are not added to the app:

UPDATE PASTING PICTURES:

User consent screen:

API permissions:

Enterprise application:

Got consent screen as you:

To resolve the issue, you need to set user and consent settings as "Do not allow user consent" like this and After setting the consent settings as "Do not allow user consent" wait for 10-15 mins and then try again you will get error "Need admin approval"

For low impact of security you can add permissions in Permission classifications balde which permissions the user can consent:

Select "Allow user consent for apps from verified publishers, for selected permissions (Recommended)"

And select permissions for which the user can consent.