Introduction

This post is meant for users who are trying to utilize the Microsoft Graph Explorer but are getting an error regarding admin consent. This error is described in the picture below :

image

 

Giving Consent for All Users for Microsoft Graph Explorer

This error is occurring because the user trying to use the graph explorer is trying to utilize a v2 permission that requires admin consent. The permissions/scopes regarding the v2 endpoint are described in the link here : https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes

 

Resolution

To resolve this issue, the Microsoft Graph explorer provides a convenient pre-developed URL for users to give the Global Admin of the tenant in order to grant admin consent on behalf of all users in the tenant. This is currently the only way to let users use the Microsoft Graph Explorer to get access to the Microsoft Graph API with permissions that require Admin Consent.

 

This link can be found by following the steps described in the pictures below.

 

image

 

image

 

image

 

 

11 Thoughts to “Granting Tenant Admin Consent for Microsoft Graph Explorer”

  1. Jon

    I cannot get past the Sign in With Microsoft link without seeing the: “Need admin approval” error message with error code: AADSTS90094.
    Is there a way to get to the link through the portal?
    Or can you just share the link here?

    1. Frank Hu MSFT

      Hey, I’m sorry but I don’t understand the issue. You’ll need to be an Azure Active Directory Global Admin to grant you the approval. Please file a support ticket for further help as it looks like it may require a bit more digging to determine what’s going on.

      Edit: After rereading your post, I think the issue is that you’re admin hasn’t allowed users to grant consent on behalf of themselves. Please refer to this article for more information on that error : https://blogs.msdn.microsoft.com/aaddevsup/2018/05/08/receiving-aadsts…admin-permission/

  2. Mahnoosh

    Hi Frank,

    Thank you for your article.
    Do you know how can I revoke the permission(admin permissions) after granted ?

  3. Mahnoosh

    Hi Frank,

    Thank you for your article.
    Do you know how can I revoke the permission(admin permissions) after granted ?

  4. Frank Hu MSFT

    Hey, so you should be able to find the service principal in the azure portal. Go to portal.azure.com. Then go to Azure Active Directory, and then go to enterprise applications. From there you should see Graph Explorer, delete the enterprise application and this will remove your service principal, meaning you are removing your permissions. If you have anymore issues with this, please file a support ticket and one of the support engineers will reach out to you.

    1. Mahnoosh

      Thank you Frank,

      after I removed graph explorer from enterprise application , can I still use user consent permission from Microsoft graph ?

      1. Frank Hu MSFT

        Yes, the users can still consent on behalf of themselves if the AAD tenant allows users to consent and the user has to correct privileges/roles to perform the actions they are asking to perform.

  5. Frank Hu MSFT

    Hey, so you should be able to find the service principal in the azure portal. Go to portal.azure.com. Then go to Azure Active Directory, and then go to enterprise applications. From there you should see Graph Explorer, delete the enterprise application and this will remove your service principal, meaning you are removing your permissions. If you have anymore issues with this, please file a support ticket and one of the support engineers will reach out to you.

    1. Mahnoosh

      Thank you Frank,

      after I removed graph explorer from enterprise application , can I still use user consent permission from Microsoft graph ?

      1. Frank Hu MSFT

        Yes, the users can still consent on behalf of themselves if the AAD tenant allows users to consent and the user has to correct privileges/roles to perform the actions they are asking to perform.

Leave a Comment