You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user signs into an app and uses it to access some other resource, like Microsoft Graph, the app will first need to ask for permission to access this resource on the user’s behalf. This common scenario is called delegated access.
@@ -34,7 +34,7 @@ Your app will need to ask the user to grant a specific scope, or set of scopes,
34
34
35
35
Once your app has requested a scope, a user or admin will need to grant the requested access. Consumer users with Microsoft Accounts, like Outlook.com or Xbox Live accounts, can always grant scopes for themselves. Organizational users with Azure AD accounts may or may not be able to grant scopes, depending on their organization’s settings. If an organizational user can't consent to scopes directly, they'll need to ask their organization’s administrator to consent for them.
36
36
37
-
Always follow the principle of least privilege: you should never request scopes that your app doesn’t need. This principle helps limit the security risk if your app is compromised and makes it easier for administrators to grant your app access. For example, if your app only needs to list the chats a user belongs to but doesn’t need to show the chat messages themselves, you should request the more limited Microsoft Graph `Chat.ReadBasic` scope instead of `Chat.Read`. For more information about openID scopes, see [OpenID scopes](scopes-oidc.md)
37
+
Always follow the principle of least privilege: you should never request scopes that your app doesn’t need. This principle helps limit the security risk if your app is compromised and makes it easier for administrators to grant your app access. For example, if your app only needs to list the chats a user belongs to but doesn’t need to show the chat messages themselves, you should request the more limited Microsoft Graph `Chat.ReadBasic` scope instead of `Chat.Read`. For more information about openID scopes, see [OpenID scopes](scopes-oidc.md).
38
38
39
39
## Designing and publishing scopes for a resource service
40
40
@@ -58,8 +58,8 @@ For client app authorization, OneDrive will check whether the client making the
58
58
59
59
| GET /drives/{id}/files/{id} | Client app granted `Files.Read` scope for Alice | Client app not granted `Files.Read` scope for Alice |
60
60
| ----- | ----- | ----- |
61
-
| The document is in Alice’s OneDrive | 200 – Access granted | 403 - Unauthorized. Alice (or her admin) hasn’t allowed this client to read her files. |
62
-
| The document is in another user’s OneDrive*| 403 - Unauthorized. Alice doesn’t have rights to read this file. Even though the client has been granted `Files.Read` it should be denied when acting on Alice’s behalf. | 403 – Unauthorized. Alice doesn’t have rights to read this file, and the client isn’t allowed to read files she has access to either. |
61
+
| The document is in Alice’s OneDrive.| 200 – Access granted.| 403 - Unauthorized. Alice (or her admin) hasn’t allowed this client to read her files. |
62
+
| The document is in another user’s OneDrive*.| 403 - Unauthorized. Alice doesn’t have rights to read this file. Even though the client has been granted `Files.Read` it should be denied when acting on Alice’s behalf. | 403 – Unauthorized. Alice doesn’t have rights to read this file, and the client isn’t allowed to read files she has access to either. |
63
63
64
64
The example given is simplified to illustrate delegated authorization. The production OneDrive service supports many other access scenarios, such as shared files.
Copy file name to clipboardExpand all lines: articles/active-directory/develop/application-consent-experience.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ ms.subservice: develop
9
9
ms.custom: aaddev
10
10
ms.workload: identity
11
11
ms.topic: conceptual
12
-
ms.date: 10/18/2022
12
+
ms.date: 11/01/2022
13
13
ms.author: jomondi
14
14
ms.reviewer: jesakowi, asteen, jawoods
15
15
---
@@ -70,7 +70,7 @@ Admins will see an additional control on the traditional consent prompt that wil
70
70
71
71
:::image type="content" source="./media/application-consent-experience/consent_prompt_1a.png" alt-text="Consent prompt for scenario 1a":::
72
72
73
-
Non-admin users will be blocked from granting consent to the application, and they'll be told to ask their admin for access to the app. If admin consent workflow is enabled in the user's tenant, non-admin users are able to submit a request for admin approval from the consent prompt. For more information on admin consent workflow, see [Admin consent workflow](../manage-apps/admin-consent-workflow-overview.md)
73
+
Non-admin users will be blocked from granting consent to the application, and they'll be told to ask their admin for access to the app. If admin consent workflow is enabled in the user's tenant, non-admin users are able to submit a request for admin approval from the consent prompt. For more information on admin consent workflow, see [Admin consent workflow](../manage-apps/admin-consent-workflow-overview.md).
74
74
75
75
:::image type="content" source="./media/application-consent-experience/consent_prompt_2b.png" alt-text="Screenshot of the consent prompt telling the user to ask an admin for access to the app.":::
Copy file name to clipboardExpand all lines: articles/active-directory/develop/consent-types-developer.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ ms.service: active-directory
9
9
ms.subservice: develop
10
10
ms.workload: identity
11
11
ms.topic: conceptual
12
-
ms.date: 10/17/2022
12
+
ms.date: 11/01/2022
13
13
ms.author: jomondi
14
14
ms.reviewer: jawoods, ludwignick, phsignor
15
15
---
@@ -72,7 +72,7 @@ Requesting consent for an entire tenant requires admin consent. Admin consent do
72
72
73
73
When your application requests [delegated permissions that require admin consent](scopes-oidc.md#admin-restricted-permissions), the user receives an error message that says they're unauthorized to consent to your app's permissions. The user is required to ask their admin for access to the app. If the admin grants consent for the entire tenant, the organization's users don't see a consent page for the application unless the previously granted permissions are revoked or the application requests for a new permission incrementally.
74
74
75
-
Administrators using the same application will see the admin consent prompt. The admin consent prompt provides a checkbox that allows them to grant the application access to the requested data on behalf of the users for the entire tenant. For more information on the user and admin consent experience, see [Application consent experience](application-consent-experience.md)
75
+
Administrators using the same application will see the admin consent prompt. The admin consent prompt provides a checkbox that allows them to grant the application access to the requested data on behalf of the users for the entire tenant. For more information on the user and admin consent experience, see [Application consent experience](application-consent-experience.md).
76
76
77
77
Examples of delegated permissions for Microsoft Graph that require admin consent are:
78
78
@@ -82,9 +82,9 @@ Examples of delegated permissions for Microsoft Graph that require admin consent
82
82
83
83
To view the full list of Microsoft graph permissions, see [Microsoft graph permissions reference](/graph/permissions-reference).
84
84
85
-
You can also configure permissions on your own resources to require admin consent. For more information on how to add scopes that require admin consent, see [Add a scope that requires admin consent](quickstart-configure-app-expose-web-apis.md#add-a-scope-requiring-admin-consent)
85
+
You can also configure permissions on your own resources to require admin consent. For more information on how to add scopes that require admin consent, see [Add a scope that requires admin consent](quickstart-configure-app-expose-web-apis.md#add-a-scope-requiring-admin-consent).
86
86
87
-
Some organizations may change the default user consent policy for the tenant. When your application requests access to permissions they're evaluated against these policies. The user may need to request admin consent even when not required by default. To learn how administrators manage consent policies for applications, see [Manage app consent policies](../manage-apps/manage-app-consent-policies.md)
87
+
Some organizations may change the default user consent policy for the tenant. When your application requests access to permissions they're evaluated against these policies. The user may need to request admin consent even when not required by default. To learn how administrators manage consent policies for applications, see [Manage app consent policies](../manage-apps/manage-app-consent-policies.md).
88
88
89
89
>[!NOTE]
90
90
>In requests to the authorization, token or consent endpoints for the Microsoft Identity platform, if the resource identifier is omitted in the scope parameter, the resource is assumed to be Microsoft Graph. For example, scope=User.Read is equivalent to https://graph.microsoft.com/User.Read.
Copy file name to clipboardExpand all lines: articles/active-directory/develop/permissions-consent-overview.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ ms.subservice: develop
10
10
ms.workload: identity
11
11
ms.custom: event-tier1-build-2022
12
12
ms.topic: overview
13
-
ms.date: 09/28/2022
13
+
ms.date: 11/01/2022
14
14
ms.author: jomondi
15
15
ms.reviewer: jawoods, ludwignick, phsignor
16
16
@@ -32,7 +32,7 @@ In this access scenario, a user has signed into a client application. The client
32
32
33
33
For the client app, the correct delegated permissions must be granted. Delegated permissions can also be referred to as scopes. Scopes are permissions for a given resource that represent what a client application can access on behalf of the user.For more information about scopes, see [scopes and permissions](v2-permissions-and-consent.md#scopes-and-permissions).
34
34
35
-
For the user, the authorization relies on the privileges that the user has been granted for them to access the resource. For example, the user could be authorized to access directory resources by [Azure Active Directory (Azure AD) role-based access control (RBAC)](../roles/custom-overview.md) or to access mail and calendar resources by Exchange Online RBAC. For more information on RBAC for applications, see [RBAC for applications](custom-rbac-for-developers.md)
35
+
For the user, the authorization relies on the privileges that the user has been granted for them to access the resource. For example, the user could be authorized to access directory resources by [Azure Active Directory (Azure AD) role-based access control (RBAC)](../roles/custom-overview.md) or to access mail and calendar resources by Exchange Online RBAC. For more information on RBAC for applications, see [RBAC for applications](custom-rbac-for-developers.md).
36
36
37
37
### App-only access (Access without a user)
38
38
@@ -75,7 +75,7 @@ User consent happens when a user attempts to sign into an application. The user
75
75
76
76
### Administrator consent
77
77
78
-
Depending on the permissions they require, some applications might require an administrator to be the one who grants consent. For example, application permissions and many high-privilege delegated permissions can only be consented to by an administrator. Administrators can grant consent for themselves or for the entire organization. For more information about user and admin consent, see [user and admin consent overview](../manage-apps/consent-and-permissions-overview.md)
78
+
Depending on the permissions they require, some applications might require an administrator to be the one who grants consent. For example, application permissions and many high-privilege delegated permissions can only be consented to by an administrator. Administrators can grant consent for themselves or for the entire organization. For more information about user and admin consent, see [user and admin consent overview](../manage-apps/consent-and-permissions-overview.md).
Copy file name to clipboardExpand all lines: articles/active-directory/develop/scopes-oidc.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ ms.service: active-directory
9
9
ms.subservice: develop
10
10
ms.workload: identity
11
11
ms.topic: conceptual
12
-
ms.date: 10/18/2022
12
+
ms.date: 11/01/2022
13
13
ms.author: jomondi
14
14
ms.reviewer: jawoods, ludwignick, phsignor
15
15
---
@@ -54,7 +54,7 @@ Although a consumer user might grant an application access to this kind of data,
54
54
55
55
If the application requests application permissions and an administrator grants these permissions this grant isn't done on behalf of any specific user. Instead, the client application is granted permissions *directly*. These types of permissions should only be used by daemon services and other non-interactive applications that run in the background. For more information on the direct access scenario, see [Access scenarios in the Microsoft identity platform](permissions-consent-overview.md).
56
56
57
-
For a step by step guide on how to expose scopes in a web API, see [Configure an application to expose a web API](quickstart-configure-app-expose-web-apis.md)
57
+
For a step by step guide on how to expose scopes in a web API, see [Configure an application to expose a web API](quickstart-configure-app-expose-web-apis.md).
0 commit comments