microsoft-graph-explorer-v4 icon indicating copy to clipboard operation
microsoft-graph-explorer-v4 copied to clipboard
verified publisher icon microsoftgraph

Update GE to fetch and display all permissions for all scopes types from DevX API

Open irvinesunday opened this issue 2 years ago • 0 comments

Currently, GE will make this example call to get the delegated work permission for a given endpoint: https://graphexplorerapi.azurewebsites.net/permissions?requestUrl=/communications/callrecords/{id}&method=GET&scopeType=DelegatedWork and will get back the below payload: [{"value":"N/A","consentDisplayName":"Consent name unavailable","consentDescription":"Consent description unavailable","isAdmin":false}]

This endpoint supports app-only permissions, however GE does not display application permissions nor does it make calls to the Graph service using its own app permissions, but rather using delegated permissions from the signed-in user. The expected permissions for the above endpoint should be: [{"value":"CallRecords.Read.All","consentDisplayName":"Read all call records","consentDescription":"Allows the app to read call records for all calls and online meetings without a signed-in user.","isAdmin":false}]

GE needs to fetch all permissions for a given endpoint to be able to infer this and display a relevant message to the customer.

For example. instead of the below error message when making a call to the above endpoint... image

An example of an appropriate error message could be: (Only in cases where the endpoint has app-only permissions) "The requested endpoint supports app-only permission(s). This will not run in Graph Explorer. You can locate the app-only permission(s) in the Modify permissions tab."

Then go ahead and display the application permission(s) in the Modify permissions tab. Of course this will not have a Consent button option.

Some users come to GE for exploration and educational purposes, so this might be a good opportunity to show them all supported permissions for any given endpoint, including app-only permissions, even though GE will not execute endpoints that depend on such.

Open question:

  • How do we handle endpoints that have both application and delegated permissions? example: image

Do we still show the app permissions below the delegated work permissions, separated by a horizontal rule element? And indicate that these are the app permissions for this endpoint?

irvinesunday avatar Jan 20 '23 07:01 irvinesunday