Grant tenant-wide admin consent
You have to do the admin consent before using KONNEKT with regular users.
Background
KONNEKT is an application that interacts with several Microsoft 365 APIs. Therefore it needs permission to do so in each Microsoft365 tenant, KONNEKT wants to connect to. One level (but not the only one) of this permission is the Enterprise App Consent in Microsoft Entra ID (Azure AD). It is a major advantage over legacy approaches such as network- or proxy-based access controls for client types, since it is working at every place and allows very granular permissions.
The admin consent for KONNEKT is for "delegated access", only (please see Microsoft docs for more details on permissions and consent). This basically means that users in this tenant are allowed to use this app to access the requested M365 services/APIs. This does not enable the app to access without the user.
KONNEKT requests the following permissions to be consented:
Microsoft Graph
User.Read
Sign in and read user profile
Office 365 SharePoint Online
AllSites.Write
Read and write items in all site collections
Office 365 SharePoint Online
MyFiles.Write
Read and write user files
Windows Azure Active Directory
Directory.AccessAsUser.All
Access the directory as the signed-in user
Windows Azure Active Directory
User.Read
Sign in and read user profile
Since some of the permissions require to be consented by an admin, you have to do the admin consent before using KONNEKT with regular users.
You can learn more about managing consent to applications and evaluate consent requests in the Microsoft docs.
Add KONNEKT permissions in Microsoft Entra ID (Azure AD) Enterprise Applications
As an admin (or having a role that allows granting admin consent) you can grant tenant-wide admin consent to KONNEKT by using the following "Magic URL":
App registration URL till KONNEKT version 2.9.1 and below:
App registration URL from KONNEKT version 2.10 and later:
Therefore you need yourtenant-id
which you get from Azure Portal under Azure Active Directory:
Don't forget to delete the {}
from the link
After that:
Open the link.
Login using your admin account (or account with role allows granting admin consent).
Accept the KONNEKT permissions request.
Done!
If you get Page Not Found after accepting the consent, please ignore it. It has no meaning here.
To check KONNEKT permissions you can find it in your Azure Active Directory under Enterprise applications -> Permissions
For more Info about admin consent visit MS.Docs
Delete KONNEKT permissions from Microsoft Entra ID (Azure AD) Enterprise Applications
In case you want to remove the admin-consent for KONNEKT, please proceed the following steps:
Sign in to the Azure portal with a role that allows deleting admin consent.
Select Azure Active Directory then Enterprise applications.
Look for Konnekt and click on it.
Select properties.
Delete, and confirm the delete.
Last updated