How to grant MS Graph's User.Read.All privilege to any SharePoint Online user through an Azure App?

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/271744

Question

In a SharePoint Online (SPO) environment, I am trying to let any (non-admin) user query Microsoft Graph API information that requires the User.Read.All permission.

=> The aim is to make my own directory (any user would be able to search for anybody in the organization's Azure Active Directory (AAD)) because Office 365's Delve and Contacts do not show all the fields from the AAD (especially extensionAttributes). Also my site uses a custom masterpage.

Note: AAD users are not all in the SPO website so I can't use SP's API such as query, SP.user, siteusers.

It works well when I authenticate through the App using its client_secret, but when I authenticate through SharePoint via ADAL JS or MSAL JS (silent or popUp auth) I am granted only the User.Read (not .All) privilege.

I have updated the Azure App manifest to specify that the privilege should be granted for users coming from the App: 

"appRoles": [
        {
            "allowedMemberTypes": [
                "Application",
                "User"
            ],
            "description": "Annuaire",
            "displayName": "Annuaire",
            "id": "d1613ef0-097a-44a0-b1d2-c13c02231a97",
            "isEnabled": false,
            "lang": null,
            "origin": "Application",
            "value": "User.Read.All"
        }
    ],

Using JWT.io to analyze the tokens, I can see that when I request it from the connection made using the app_secret I have the following role:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/e6f27e96-***/",
(...)
  "roles": [
    "User.Read.All"
  ],
(...)
}

But when I request it from the SharePoint page using ADAL or MSAL I have only the following scope:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/e6f27e96-*****/",
(...)
  "scp": "User.Read",
(...)
}

I have also tried to use AAD Graph API with Directory.Read.All permission but the result is the same.

What shall I do to build my custom directory?

Was it helpful?

Solution

In your provided screenshot i can see that the permission for User.Read.All is an application permission and not a Delegated permission that the MSAL and ADAL library uses together with the users credentials.

So set the correct permission User.Read.All as a Delegated permission and i think it will work.

enter image description here

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top