"Need admin approval" while testing as ASP.NET Web Forms application - azure-active-directory

we have a website that was developed in C# using ASP.NET Web Forms ans is working well,
the thing is that it works with an internal (of the company) authentication, and that kind of authentication will soon expire,
so I have been asked to develop an Azure AD one, but when testing we receive this error
to develop the Azure Authentication, we followed some guides like 1st link
I know that this issue has been reported many times before but Azure AD is continuously evolving so a guide from the beginning of 2021 for example is hard to apply it at the end of 2022
and thanks in advance
PS: if you need any complementary document that I can provide, just ask

I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the Admin Consent is not consented to the API Permissions you have granted to the Azure AD Application.
Make sure to grant the Admin Consent to the API Permissions like below:
Go to Azure Portal -> Azure Active Directory -> API Permissions -> Grant Admin Consent
You can use the below endpoint and sign in as Global Admin and Accept the consent on behalf of organization like below:
https://login.microsoftonline.com/TenantID/adminconsent?client_id=ClientID
Otherwise, you can allow users to consent to the Application like below:
Go to Azure Portal -> Enterprise Application -> User Settings -> Go to Consent and permissions

Related

Permissions for SAAS in Azure AD

I am looking to develop a SAAS product where tenant from different organizations can log into my application and there are specific set of custom Permissions that I want to create for my application which will allow users to access different endpoints in my application.
Application is hosted in a inhouse server.
Can someone please help me to understand what would be my approach to do so?
I am doing App Registration in Azure AD. And in the redirect uri I am passing my application url.
I am stuck after that.
I tried to reproduce the same in my environment and got the results like below:
To integrate the SaaS Application in Azure AD, Register an Application in Azure AD.
As you need tenant from different organizations log into the application, make sure to configure the Application as Multi-Tenant like below:
Based on your requirement you can select the API permission which you want the users to access like below:
For sample, I selected Microsoft Graph and added the required API permissions:
You can choose Delegated or Application API permissions based the Grant Flows.
For Client-Credentials, need to grant Application API permissions and for Authorization Code Flow need to grant Delegated API permissions.
For sample, I am using OAuth 2.0 authorization code flow to generate the token for authentication.
I generated Auth-Code using below authorize endpoint:
This will authorize the request and redirect it to the application.
I generated the token using below parameters:
Using the above generated Access token, you can call Microsoft Graph API.
If you want B2B collaboration, refer to the document provided by bahrep in the comments.
References:
Register a SaaS application - Azure Marketplace | Microsoft Learn
Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra

Getting invalid_grant: AADSTS65001: The user or administrator has not consented to use the application even though it has been consent by the admin

I am trying to access my web api written in .Net Core from a ReactJs client application. I have registered both the application in Azure AD and given Admin Consent to the Web API in ReactJs API Permission section. Even after configuring this I am getting invalid_grant: AADSTS65001: The user or administrator has not consented to use the application
Can any please help me regarding this please. How should I connect to the web api.
To resolve the error "invalid_grant: AADSTS65001: The user or administrator has not consented to use the application", try the following:
Make sure to have Global admin role and grant admin consent for the below API permissions of your application:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your app -> API permissions -> Add permissions
After granting admin consent, please check whether the status turned green or not.
Make sure whether the below options are checked or not in your authentication tab like below:
If still the issue persists, make use of below document if helpful:
4 ways to fix error AADSTS65001 (issues with Admin Consent!) - #SharePointProblems / Koskila.net

MS Graph permission added to Azure AD app registration breaks sign-in flow via Intune Company Portal app

I have created an Azure AD app registration for a cross-platform (Xamarin.Forms) mobile application for our employees. The app registration is setup to work as a single-tenant app and in order to function properly, we have specified a number of permissions to Microsoft Graph, such as "openid", "profile", and "User.Read", which have been given admin consent by our Admin. The app uses broker authentication (using ADAL) in order to sign-in users to the app via the Intune Company Portal app already installed and setup on every user's device.
Up until recently, everything worked fine until we needed to add a new Microsoft Graph permission to the app registration, namely "Group.Read.All". So, we added the new permission to our app registration as a delegated permission and had our admin provide the admin consent for all the users.
After giving consent to the new permission, our users could not login to the app since the Intune Company Portal app did not sign-in the users to the app, but instead advised them to setup their device by installing and setting up the Intune Company Portal app on their device (?!).
As I mentioned before, the devices already had Intune Company Portal installed and properly setup on their device for more than 2 years now.
So, we thought of checking the user sign-ins of the user to find out what the problem was and we found a failure event recorded with sign-in error code 530003 (Access has been blocked due to conditional access policies.) where it showed that the policy "Access Policy: Require Device Enrollment for Accessing EOL & Sharepoint from handheld devices" failed with reason "require compliant device" (under column Grant Controls).
As soon as we revoked the newly added permission "Group.Read.All" from the app registration, our users could sign-in to the app successfully.
When we tried adding other permissions like Directory.Read.All and GroupMember.Read.All, we did not have any issues with our sign-in flow via the Intune Company Portal.
Can you please advise what it is so special about the "Group.Read.All" permission that raises the Azure sign-in error code 530003, forcing the Intune Company Portal app to require the users to setup their (already setup) device, before they can sign-in to our app?
I am at my wits' end with this one.
Any ideas?
For me it is not possible to reproduce your issue due to multiple things involved.
Few suggestions that you could try at your end:
Try isolate each component and leverage graph explorer/postman to make an API call and observe behavior.
I didn't get the need to add graph permission, but as per your use case see if there is any other least privileged permission that could get your job done, add that permission and check behavior.
Check if your scenario really demanded adding permission as delegated and if this is really supported? For e.g, below image shows necessary permssion to get the properties and relationships of a group object.
If problem still persists, consider contacting Microsoft support for your specific scenario.

Why does Microsoft Dynamics 365 ask for delegated admin in Azure app registration

I'm following a guide online to generate an access token to access Microsoft Dynamics 365 Customer Engagement: https://eax360.com/dynamics-365-online-connect-using-postman/.
All of it works fine, however I am wondering why delegated Admin permissions need to be supplied in Azure Active directory during app registration. I have seen a lot of guides explain that permissions must be delegated but the above site documents the process well. As a general rule, I thought that starting with the lowest security permissions was the norm. I am new to Azure AD so thoughts are very much welcome.
If your app will be a client which allows the authenticated user to perform operations, you must configure the application to have the Access Dynamics 365 as organization users delegated permission.
Application permission means that you want your app to access Common Data Service without a user.
So whether to use delegated permission in Azure app registration depends on your needs. It is not mandatory.
But we can see that the Application permissions in Azure app registration is gray out. This is because Microsoft provides a different way to implement it.
We need to create a Common Data Service application user an then bound it to the registered app. After that, we could connect using the application secret. See the details here: Connect as an app.

Using same authentication for EWS API and Graph API

We've been using Azure Active Directory and EWS SOAP web services successfully.
Trying to see if we can use our current authentication method to be able to also invoke Microsoft Graph (i.e. https://graph.microsoft.com/v1.0/me/)
I went into Azure and added Microsoft Graph under App Registrations -> Settings -> Required Permissions.
This was our authorize endpoint url:
https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com%2F
I changed it to :
https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Fgraph.microsoft.com
Is this all I had to do? When I try to go through the oAuth 2.0 flow, the authorize request seems successful, then I'm asked to enter my credentials, and then I get an error:
"Misconfigured application. This could be due to one of the
following: The client has not listed any permissions for 'Microsoft
Graph' in the requested permissions in the client's application
registration. Or, The admin has not consented in the tenant. Or, Check
the application identifier in the request to ensure it matches the
configured client application identifier. Please contact your admin to
fix the configuration or consent on behalf of the tenant. Client app
ID: b1313958-.... "
I went into Azure and added Microsoft Graph under App Registrations ->
Settings -> Required Permissions.
You mentioned this as part of your question. Please check if after performing these steps for your App Registration in Azure AD, did you click on the “Grant Permissions” button to provide consent or not.
Looking at the error it seems Consent for Microsoft Graph related permissions isn’t done yet.

Resources