June 28th, 2023

Microsoft 365 Developer Proxy v0.9 with over-consenting guidance

In the latest preview version of the Microsoft 365 Developer Proxy, we are introducing the preview ability to detect over-consented apps that use Microsoft Graph.

Download Microsoft 365 Developer Proxy v0.9 and check if your apps properly handle API errors.

Detect over-consented apps that use Microsoft Graph

Previously, we introduced support for detecting minimal permissions for calling Microsoft Graph APIs. By recording a series of API requests, you can have the Developer Proxy automatically detect what minimal permissions your app needs to call these APIs. This feature is not only great for your productivity, but also helps you build apps that are secure.

In this version, we continued our work related to minimal permissions and introduce a new plugin which helps you find if your app has more permissions than what it needs (also known as over-consenting).

Similarly to the minimal permissions plugin we introduced previously, the new plugin uses the Developer Proxy’s recording mode to capture the series of Microsoft Graph API requests issued by your app. When you stop the recording, the plugin will compare the scopes/roles on the access token with the minimal permissions needed to call the captured APIs and warn you if your token uses more/broader permissions.

Terminal with Microsoft 365 Developer Proxy running and warning about over-consented app

We compare permissions from the access token with minimal permissions locally and are not uploading your access token to any external API.

This new plugin detects over-consenting for both application- and delegated permissions. For more information about how it works, see the documentation.

We’re releasing this feature in preview and will continue to improve its accuracy. We’d love to hear feedback on how it works and how we can make it better.

New name, the same awesome tool

Following our announcement in May, we’re releasing this version under the new name of Microsoft 365 Developer Proxy. We hope that it will make it clearer that you can use this tool with Microsoft Graph and any other API on Microsoft 365 and beyond.

As a part of the rename, we renamed the repository and moved it to the Microsoft organization on GitHub. We’ve also changed the name of the executable to m365proxy which you’ll now use to start the proxy on your machine.

Try it now

Download Microsoft 365 Developer Proxy v0.9 and check if your apps properly handle API errors.

We’re excited about this new version and can’t wait for you to try it out. We look forward to hearing from you about these improvements and how we can continue to make the Microsoft 365 Developer Proxy even better.

Follow us on Twitter @Microsoft365Dev to stay up to date on the latest developer news and announcements.

Happy coding!

Author

Waldek Mastykarz
Principal Developer Advocate
Garry Trinder
Senior Cloud Advocate for Microsoft 365

0 comments

Discussion are closed.