Admin required when I run it from my account about presencelight HOT 14 CLOSED

not 100% sure. The app was initially setup to need Presence.Read.All but that was removed. Does it tell you what scope it is trying to get?

from presencelight.

@brettjenkins any update here?

from presencelight.

Hey, never managed to get this working from another account. Only got it working using an api key from within

from presencelight.

Are you making any changes to the repo? Also, what Client ID do you have?

from presencelight.

I think I'm running into the same problem as @brettjenkins, only thing specific to my situation is that I'm trying to create my own app registration (clientid). If I use the clientId from PresenceLight everything works fine. As soon as I use my own clientId and add the premission "presence.read" to the API permissions tab, I need an admin consent (if I only request "User.Read", I don't need admin consent)

@isaacrlevin would be willing to share more screenshots of your App registration? Or maybe the Manifest.json? I would really like to create my own registration and re-use your settings. I've read your document Configure an Azure Active Directory Application multiple times, but I think some info is missing and/or out-dated. For instance the permissions shown in the screenshot include "Presence.Read.All" and "User.Read.All" but if I've read the documentation on Graph Get Presence correctly those aren't needed for querying the signed-in users presence.

I've also tested my work-account with Microsoft Graph Explorer and after requesting the consent for "presence.read" I can happily query my status. Graph Explorer uses it's own ClientId. So your clientId works and Graph Explorer's clientid works, I just need to understand what is wrong with my clientid (app registration).

Any help would be greatly appreciated!

from presencelight.

Here is my app Registration page

https://photos.app.goo.gl/hKetnZiaC3dc2s4e7

from presencelight.

Hi @isaacrlevin, thanks for sharing the screenshots!

The biggest difference in the screenshots I could find is the "supported account types". In your document Configure an Azure Active Directory Application you suggest to use "Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)", but in the screenshots it looks like you have chosen "Accounts in any organizational directory (Any Azure AD directory - Multitenant)".

I have setup a new app registration to match you settings:

But when I run PresenceLight with the new appId I still get the same problem (admin consent required for this application):

At the moment I can only think of one possible cause and that is that my application doesn't have a verified MPN ID in the branding settings (my other app registration has a valid publisher domain, but this doesn't help). I'm currently trying to get a MPN ID on my own domain, to rule out that this is even a problem.

Can you think of any other settings that might be relevant?

from presencelight.

PresenceLight is multi-tenant now, but you are right, you need a to be published. This is all quite odd, as I dealt with no issues at all. Do you get a consent with just User.Read, no other scopes?

from presencelight.

If I just use User.Read I do get a normal consent request that I can approve. As soon as I add the Presence.Read to the API Permissions I get the "Need admin approval".

I have also approved the publisher domain for my application, but that has no effect on the "Need admin approval".
I noticed that your application doesn't have a verified publisher domain:

So that shouldn't be the problem I'm having.

I've also run the "Integration assistent (preview)" for "Desktop Apps" on the App registrations page:

That only suggests to add an MPN ID to become a verified publisher.

I'm currently in the proces of getting a valid MPN ID and as soon as that's done, I'll try again. The Publisher Verification page seems to suggest that you need to be a verified publisher to make calls to Microsoft Graph.

from presencelight.

Presence.Read does not require admin consent. https://docs.microsoft.com/en-us/graph/permissions-reference#presence-permissions

It appears you have done it as a multi-tenant app and not a single tenant app. Is there a reason for this?

Are you doing this in a Microsoft 365 developer tenant? or a real production tenant? As some rules can be set to enforce permission scopes to require admin consent if a tenant admin has configured it.

from presencelight.

@jthake-msft I had already found the link to the required permissions for Presence.Read, that's why I don't understand why I'm still getting the admin consent.

The multi-tenant app is a deliberate choice. I want the app I'm developing to be opensource, so I can't specify the tenant where the app will be used. My current use-case is a tenant from a client I'm working at, so that's a production tenant where I don't have admin access.

The registration for the app (the screenshots above) is done under a new free tenant I registered under my personal Azure account. I'm in the proces of getting a tenant linked to my own (freelance) company, but the verification takes a day or so.

The main thing I don't understand is why the clientId from PresenceLight (the app from isaacrlevin) doesn't need admin consent, while my clientId does require admin consent when calling the Graph API for my own user in the same tenant?
I'm pretty sure the admin of that tenant hasn't granted access for PresenceLight and/or Graph Explorer, but both can get my presence information (after I personally give them consent).

Any help/things to try would be greatly appreciated!

from presencelight.

@xs4free I cannot repro this in various tenants. I can consent Presence.Read without requiring admin consent in my tenants.

This sounds isolated to your tenant. Could you please open a support ticket with https://portal.azure.com/ . If you raise this as a Microsoft Graph technical issues specifically around App Registration, the support team can get you to repro it and look at the logs in your tenant.

from presencelight.

Closing as it seems to be a tenant issue.

from presencelight.

Just letting you know my issue is resolved. I was planning on opening an issue as @jthake-msft suggested, but when I took a final look at one of the several App Registration I had created I noticed that it had Presence.Read.All permissions in the API Permissions tab. I changed it to Presence.Read and hit save. After that my app works as expected, without requiring administrator consent. The screenshots that I posted above show the same settings, but this time it worked. The only reasonable explanation I can think of is that I somehow swapped application registration id's when testing different settings. A dumb error on my part. Sorry!

If anyone is interested, I've documented my current settings at: https://github.com/xs4free/MicrosoftTeamsPresenceLed/blob/master/readme.md#23-using-your-own-application-registration-id

Thanks a lot @isaacrlevin and @jthake-msft for your help and your time!

from presencelight.