notes.read.all demands for admin approval

[NaveenB]

Hi,

Using "React Graph Tutorial", scope "notes.read.all" is asking for admin approval

Need admin approval React Graph Tutorial

React Graph Tutorial needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it. <<<<<

Where as a the following call for "notes.read.all" works without any admin approval issue

"https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=1f4ddefc-d849-4f30-a410-73297ed98422&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcgi-bin%2Fcode.py&response_mode=query&scope=Notes.Read.All&state=202005051404"; <<<<<

Where is the issue?

Thanks.

[jasonjoh]

How did you add "notes.read.all" to the app? I just tried this and I am not asked for admin approval.

There are a few possibilities here. One is that you added the permission as an application permission (rather than a delegated permission). The application permission requires admin approval. The other possibility I can think of is that your org admin has disabled your ability to consent to that permission after you had consented to the app in your working link. The granted consent would remain, but any new apps you'd be unable to consent for.

[NaveenB]

Thanks for your reply.

How did you add "notes.read.all" to the app? added "Notes.Read.All" in the Config.js file of “graph-tutorial” Project export const config = { appId: "1f4ddefc-d849-4f30-a410-73297ed98422", redirectUri: "http://localhost:3000", scopes: ["user.read", "calendars.read", "Notes.Read.All"], };

API Permission of App in Azure with client id "1f4ddefc-d849-4f30-a410-73297ed98422" as following: ( There are no application permissions added)

Login with graph-tutorial with MSAL is asking for admin approval where as a direct call with the url(later part of earlier post) doesnt require any admin approval. Therefore I dont assume there is any change in change of permissions related to “Notes.Read.All”.

[jasonjoh]

I have no idea to be completely honest. What you're describing simply shouldn't happen. You mention config.js, which is from an old version of the project. Do you have the same problem with the current code in this repository?

I also notice you configured OneNote API permissions, but this app uses Microsoft Graph. I don't think that's the problem, but those permissions aren't necessary for this app.

What is the URL in the login popup?

[NaveenB]

The url in the login popup >>

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=user.read calendars.read notes.read.all openid profile&client_id=1f4ddefc-d849-4f30-a410-73297ed98422&redirect_uri=http%3A%2F%2Flocalhost%3A3000&state=6ab83161-09c1-47a9-af0f-2391ec638947&nonce=d086f147-4ab7-4225-afde-b008646aeed7&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.2.1&prompt=select_account&client-request-id=fb9822d9-1c46-4ced-b9ac-6f4b6e082ec5&response_mode=fragment

And a good news(or bad, as I dont know why), the Login is working, as in the login is asking the user for consent for notes.read.all but then its fails with following error message.

But upon second login attempt, login is successful. Can you think of any clue?

Atm, Im under an impression(not sure though), the code base is in sync with current repo.

May be i should start again with clean slate.

Thanks so far.

[jasonjoh]

Ok. That error does not mean an admin must consent. It's saying no one has consented. You get this error if you make a token request for a scope that hasn't been consented.

How are you calling getAccessToken? Is your code on GitHub?

[NaveenB]

I have created project based on https://docs.microsoft.com/en-us/graph/tutorials/react?tutorial-step=1

Haven't changed anything to project, after successful GET of calendar, for the user, the first I tried was to add "note.read.all" in config.js with intention to extend project to impl GET OneNote pages.

So no, the code is not yet on GitHub.

[jasonjoh]

I've tried what you describe (I've taken the completed tutorial and just added notes.read.all to the scopes in config.ts) and I do not see this behavior. There's either some inadvertent code difference, a dependency version difference, or something configured in your app registration.

For the app registration, you might want to try a new app registration, strictly following the steps in https://docs.microsoft.com/en-us/graph/tutorials/react?tutorial-step=2.

For the dependencies, you can compare your package-lock.json to the one in this repo.

Code-wise, you can try downloading this repository and modifying config.ts to see if you reproduce the error.

[NaveenB]

App Registration: as per the tutorial Code: downloaded this repo and modified config.ts Result: Same issue: asking for Admin consent, tried three different browsers My old project( which suddenly worked few days ago) has same issue.

Im totally clueelss

[jasonjoh]

What type of tenant are you trying this with? Do you have a developer tenant for testing, or is this your company's production tenant? Do you have admin access? If you remove notes.read.all, leaving all the others, does the problem go away?

[ghost]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.