MS OneDrive now requires admin consent for *.All Sites and Files Graph API permissions

Feature Requests Nodes
1

Reposting here from a Github issue that I opened - this is apparently a feature request…

Additional comment: it would be really helpful to have a single MS OAuth credential where you select the API scopes that you want. That way a single credential could be re-used across multiple MS nodes.

Here goes for the issue description:

Per https://mc.merill.net/message/MC1097272, the following permissions require admin consent:

  • Sites.Read.All

  • Sites.ReadWrite.All

  • Files.Read.All

  • Files.ReadWrite.All

I cannot get admin consent from my Entra ID team without a very good reason, and TBH, I don’t need to :grinning_face_with_smiling_eyes:

I’d like to have an option in the MS Drive credentials to only request user-specific permissions (i.e. the versions without .All), so that I can use OneDrive for myself.

BTW, the same issue exists in the MS Teams connector, and it looks like a generic “Microsoft has restricted access” situation.

To Reproduce

  1. Go to Credentials

  2. Create a new Microsoft Drive Account

  3. Enter all the required information

  4. Click on Connect my account

  5. The connection window pops up with a “ABC needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it”

Expected behavior

The connection window should list a smaller set of permissions that can be user-consented.

2

Seconded. Having a similar issue where I want to connect to my organisation OneDrive account but the permissions that the Microsoft Drive OAuth2 API credential is requesting from Microsoft Graph includes Files.ReadWrite.All.

This is very broad access that requires Admin context and we were unable to proceed with user level context. Getting admin consent for this in my organisation may not be possible as the level of access being requested by N8N in this case is bloated and outscopes the function of the workflow I am building.

Would be useful to have a MS OAuth credential where you select the API scopes you want, or at least one which requests Files.ReadWrite permissions without requiring admin context.

1 Like