Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.

[Polina]

Hi Karsten,

Yes, if you edit your existing organization and select to 'Grant permissions automatically' or add a new organization in an automated manner, they will be added to the app.

[mkevenaar]

Hi Polina,

I have updated to 8.5.0.1014, and the permissions have not been updated when updating the existing Microsoft Entra ID application or when registering a new application. The checkbox "Grant the required permissions to this application and register its certificate in Microsoft Entra ID" has been checked.

This has been tested on two (2) different installations, both on 8.5.

Am I doing something wrong?

[Polina]

Hi Maurice,

No, you're not doing anything wrong — this is a product behavior, not a configuration mistake on your end. And I need to correct what I said earlier: automatic permission granting does not currently update permissions. My earlier statement was inaccurate, and I apologize for the confusion.
Until the next patch, the reliable path is still to manually update the application's permissions in Microsoft Entra ID.

Thanks for your patience and for the detailed repro.

[AlexL]

Am I correct in understanding that for v8.5 no api permissions changes are needed (if upgrading from v8.4) but they are needed for a future update? Else I would have thought that the gui wizard would automatically set them or at least the release notes would mention them. Since neither are I’m assuming no changes needed (for now).

[juerg.hirschi]

confused

"Until the next patch, the reliable path is still to manually update the application's permissions in Microsoft Entra ID."

so you forgot this part ? and we need an update to the upgrade to get automated permission adjustment by running the org setup wizard.
makes quite a difference if i can just run the wizard vs. going into each tenant and do permisson magic manually for our customers.