I'm using OpenID Connect to authenticate users according to https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc. I registered application in Azure AD and there are following user consents defined:
The problem is that only 3 users are authenticated while others get error 90094 with message:
Need admin approval
App needs permission to access resources in your organisation that
only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
These 3 users who can sign-in are the ones who granted "Sign users in" and "Sign in and read profile" permissions (visible under "Granted By" column links on the screenshot) and this is the only difference in Azure configuration between them and the rest who cannot sign-in. All of users have been added to app through "Users and groups" page with the same roles. All users are from the same company's directory. Api permissions looks like following
Moreover I have setting
I don't know how to grant permissions to other users and I don't know how to extend list of permissions visible on the screenshot.
Any ideas?
I wonder if any changes in Azure Portal happened since November 2019 when I created and configured that app. There where no changes in my permissions since that time, so I didn't have more power that time. I've read various documentation on MSDN about consents and permissions but didn't find solution.
You are not the admin of your Azure AD tenant.
Please see this reference: Disable or enable user consent from the Azure portal.
I see that you have the setting: Users can consent to apps accessing company data on their behalf. But if you don't Enable the admin consent workflow, when the application is requesting permissions that the user is not allowed to grant, the users still can't consent to the apps by themselves.
Another method is that you need to use an admin account to log into Azure portal. And then grant admin consent for your tenant.
Related
I have an Enterprise Application which requires pretty nominal permissions:
I have already granted consent as an admin.
When a user tries to access the app and logs-in they get this message:
"needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it."
I don't want my users to see this message (they will call helpdesk or do the wrong thing).
I think the admin consent I provided above should be sufficient, so my questions are:
Is is possible to consent on behalf of the users
What settings to I need to change?
Yes, it is possible to consent on behalf of the users. To achieve the same you must have Global Administrator or Privileged Administrator role.
Go to Azure Portal -> Azure Active Directory -> Enterprise applications -> Consent and permissions - > User consent settings
Check if the below option is set to No in Enterprise Application Users settings:
References:
Grant tenant-wide admin consent to an application - Microsoft Entra | Microsoft Docs
Azure AD app Need admin approval error: App needs permission to access resources in your organization that only an admin can grant - Stack Overflow
I am a developer working on an application that will access O365 data via the Graph API. I have registered an application under my company account. I have authentication working on a per-user basis. Now I am trying to get it to work so that a tenant administrator can grant permission to my application for data access on an organization-wide basis. I have this working as well - I used the /adminconsent endpoint to bring the administrator to a page where he granted the consent.
What I am wondering about is the line in the documentation that says "You can rely on an administrator to grant the permissions your app needs at the Azure portal". I am trying to figure out what that procedure is so I can document it for admin users. I thought perhaps it was to go to App Registrations - there I see an option to create a new registration. But this has it's own Client Id. Don't I somehow have to give it the Client Id of my own application? Or is the idea that the tenant admin will supply the Client Id of his app to my app? Or am I in the wrong area altogether?
BTW in case it is relevant, I am not using any authentication library, just making direct http calls from a C++ program running on the Windows desktop.
Per my understanding, your application is an multi-tenant application. Only you or the administrators in your tenant can grant the permissions to your application. The administrators from other tenants can grant consent to use your application, but they can not control the permissions.
Update:
You can grant admin consent by calling admin consent endpoint.
https://login.microsoftonline.com/common/v2.0/adminconsent?
client_id={your_tenant_client_id}
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope=
https://graph.microsoft.com/.default
If you want to grant admin consent via Azure portal. The application must already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application.
We have an account that is an Application Administrator, and with that account, we registered an App.
When attempting to add permissions both Application and Delegated, there would be a message saying it needs admin approval. When trying to give admin consent from the apps permissions page with the following image would pop up
The permissions we were attempting to give were:
-Microsoft Graph: Reports.Read.All
-Office 365 Management API: ServiceHealth.read
And these were both Application and Delegated
What Exactly is happening here?
Are we doing something wrong?
You need to login in your application with the Azure AD global admin account.(Application Administrator can not do this)
Or you can ask your Azure AD admin to grant admin consent on Azure portal.
Go to your application->API permissions-Grant consent.
We have configured an azure active directory application so that the users to our website can log in via their Microsoft accounts. The problem is that if we do not grant admin access then the Sign in to the application fails with the error code AADSTS650056:
Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration.
We are skeptical to click on "Grant admin consent" fearing that it may expose any vulnerability. Is this the right way to proceed? If not what are the alternatives so that this kind of consent is bypassed?
Each application registers permissions it requires. Some permissions can be granted by users, some other only by the administrator.
Let's suppose you have only permissions that can be consented by users. The first time they use the application, they'll be prompted (each user) to consent those permissions to the application.
If in the same scenario you click on grant admin consent, it is the equivalent of accepting it for all users on the tenant.
Now let's suppose the application registers permissions that require admin consent, you have no choice but to click that button if you want the application to work and be able to request tokens.
These permissions that require admin consent are permissions that either allow access to more or sensitive data in the organization.
I've got an app registered in Azure AD. And I've configured the connector in Auth0. When I push the 'Try It' button in Auth0, I'm prompted with
Neo Dev
Neo Dev needs permission to access resources in your organization that
only an admin can grant. Please ask an admin to grant permission to
this app before you can use it.
Have an admin account? Sign in with that account
Return to the application without granting consent
But in Azure AD I've already used the button labeled:
Grant consent
As an administrator, you can grant consent on behalf of all users
in this directory. Granting admin consent for all users means that
end users will not be shown a consent screen when using the application.
So obviously I'm missing something. Any ideas what I should check next?
I was able to get it to work by adding Directory.Read.All and User.Read from both Microsoft Graph permissions AND Legacy Azure Active Directory Graph permissions.