Switched to User.Read.All so only admin can consent

Author: Tiago Brenck

2-WebApp-graph-user/2-3-Multi-Tenant/AppCreationScripts/Configure.ps1

@@ -223,7 +223,7 @@ Function ConfigureApplications
    # Add Required Resources Access (from 'webApp' to 'Microsoft Graph')
    Write-Host "Getting access from 'webApp' to 'Microsoft Graph'"
    $requiredPermissions = GetRequiredPermissions -applicationDisplayName "Microsoft Graph" `
-                                                -requiredDelegatedPermissions "Directory.Read.All" `
+                                                -requiredDelegatedPermissions "User.Read.All" `
 
    $requiredResourcesAccess.Add($requiredPermissions)
 

2-WebApp-graph-user/2-3-Multi-Tenant/AppCreationScripts/sample.json

@@ -24,7 +24,7 @@
       "RequiredResourcesAccess": [
         {
           "Resource": "Microsoft Graph",
-          "DelegatedPermissions": [ "Directory.Read.All" ]
+          "DelegatedPermissions": [ "User.Read.All" ]
         }
       ]
     }

2-WebApp-graph-user/2-3-Multi-Tenant/Controllers/TodoListController.cs

@@ -85,7 +85,7 @@ public async Task<IActionResult> Create(TodoItem model)
         }
 
         [HttpGet]
-        [AuthorizeForScopes(Scopes = new string[] { GraphScope.DirectoryReadAll })]
+        [AuthorizeForScopes(Scopes = new string[] { GraphScope.UserReadAll })]
         public async Task<IActionResult> Edit(int id)
         {
             TodoItem todoItem = await _todoItemService.Get(id, User);
@@ -99,7 +99,7 @@ public async Task<IActionResult> Edit(int id)
             var userTenant = User.GetTenantId();
 
             // Acquiring token for graph using the user's tenantId, so it can return all the users from their tenant
-            var graphAccessToken = await _tokenAcquisition.GetAccessTokenOnBehalfOfUserAsync(new string[] { GraphScope.DirectoryReadAll }, userTenant);
+            var graphAccessToken = await _tokenAcquisition.GetAccessTokenOnBehalfOfUserAsync(new string[] { GraphScope.UserReadAll }, userTenant);
 
             TempData["UsersDropDown"] = (await _msGraphService.GetUsersAsync(graphAccessToken))
                 .Select(u => new SelectListItem

2-WebApp-graph-user/2-3-Multi-Tenant/README.md

@@ -147,7 +147,7 @@ As a first step you'll need to:
    - Click the **Add a permission** button and then,
    - Ensure that the **Microsoft APIs** tab is selected.
    - In the *Commonly used Microsoft APIs* section, click on **Microsoft Graph**
-   - In the **Delegated permissions** section, select the **Directory.Read.All** in the list. Use the search box if necessary.
+   - In the **Delegated permissions** section, select the **User.Read.All** in the list. Use the search box if necessary.
    - Click on the **Add permissions** button in the bottom.
 
 ##### Configure the project (WebApp-OpenIDConnect-DotNet) to use your app registration
@@ -294,15 +294,15 @@ If a multi-tenant app needs to acquire a token from Graph to read data from the
 ```csharp
 var userTenant = User.GetTenantId();
 // Acquiring token for graph using the user's tenantId, so it can return all the users from their tenant
-var graphAccessToken = await _tokenAcquisition.GetAccessTokenOnBehalfOfUserAsync(new string[] { GraphScope.DirectoryReadAll }, userTenant);
+var graphAccessToken = await _tokenAcquisition.GetAccessTokenOnBehalfOfUserAsync(new string[] { GraphScope.UserReadAll }, userTenant);
 ```
 
-We are acquiring an access token for Graph with the scope `Directory.Read.All`, to list all the users from the tenant so you can assign a todo item to them. `GetAccessTokenOnBehalfOfUserAsync` is a helper method found on `Microsoft.Identity.Web` project, and it receives a **tenantId** as parameter to acquire a token for the desired authority. For that, we get the current authority from the built `IConfidentialClientApplication` and replace the tenantId. Below is an example of this logic.
+We are acquiring an access token for Graph with the scope `User.Read.All`, to list all the users from the tenant so you can assign a todo item to them. `GetAccessTokenOnBehalfOfUserAsync` is a helper method found on `Microsoft.Identity.Web` project, and it receives a **tenantId** as parameter to acquire a token for the desired authority. For that, we get the current authority from the built `IConfidentialClientApplication` and replace the tenantId. Below is an example of this logic.
 
 ```csharp
 string signedUserAuthority = confidentialClientApplication.Authority.Replace(new Uri(confidentialClientApplication.Authority).PathAndQuery, $"/{tenant}/");
 AuthenticationResult result = await confidentialClientApplication
-    .AcquireTokenSilent(new string[] { "Directory.Read.All" }, account)
+    .AcquireTokenSilent(new string[] { "User.Read.All" }, account)
     .WithAuthority(signedUserAuthority)
     .ExecuteAsync()
     .ConfigureAwait(false);

2-WebApp-graph-user/2-3-Multi-Tenant/Startup.cs

@@ -74,7 +74,7 @@ public void ConfigureServices(IServiceCollection services)
 
             // Sign-in users with the Microsoft identity platform
             services.AddMicrosoftIdentityPlatformAuthentication(Configuration)
-                    .AddMsal(Configuration, new string[] { GraphScope.DirectoryReadAll })
+                    .AddMsal(Configuration, new string[] { GraphScope.UserReadAll })
                     .AddInMemoryTokenCaches();
 
             services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>

2-WebApp-graph-user/2-3-Multi-Tenant/Utils/GraphScope.cs

@@ -2,6 +2,6 @@
 {
     public static class GraphScope
     {
-        public const string DirectoryReadAll = "Directory.Read.All";
+        public const string UserReadAll = "User.Read.All";
     }
 }