Azue AD asks for admin consent for Power BI Access - azure-active-directory

I want to use AAD for PowerBI Rest API and thus need to get Token for auth. Even the permission granted to App does not need Admin consent yet, I always receive a popup saying:
<App> needs permission to access resources in your
organization that only an admin can grant. Please ask an admin to
grant permission to this app before you can use it.
App API Permissions (see no where it requires Admin consent)
Code I am using for auth:
var userAuthnResult = authenticationContext.AcquireTokenAsync(
new Uri(ProgramConstants.RedirectUri),
new PlatformParameters(PromptBehavior.Auto)).Result;
P.S I have tried auth. using creds which is not working for me due to multi-factor auth on my org.
var userAuthnResult = authenticationContext.AcquireTokenAsync(

If your organization has disabled or restricted users' authorization to consent to applications, you won't be able to grant consent yourself, even if the permissions your app is requesting don't require admin intervention.
You can check if user consent is enabled or disabled in your organization in the Azure portal > Azure AD > Enterprise apps > User settings. (Even if you're not an administrator, you should be able to see if the switch it on or off.)


Azure OAuth2 flow when approval is requested

Our app implements Azure OAuth2 (v2) user-consent flow and uses Graph API scopes that do not require admin consent oauth2 user. Recently we've noticed that some users of our app run into this Auth screen: "The app requires admin's approval".
Is that because the tenant Org disabled user-consent for apps?
Where does it leave us with the user-consent based OAuth2 flow? Is it still possible to get a user access token after an admin's approval or the only way is to use the OAuth2 daemon flow oauth2 daemon? In a callback after such a dialog how can we know that the admin approval has been given?
One related question. In cases where user-consent is not disabled but it's an admin user that authorizes there is an option 'Consent on behalf of your Organization". How can we know in the callback from this dialog that the admin checked that box? And does it mean we need to use the OAuth2 daemon flow then too?
Thank you
It was our lack of understanding. After more testing we realized that we used prompt=consent and that is why the consent window always showed. Thank you.
Is that because the tenant Org disabled user-consent for apps?
Yes, this settings is under Enterprise applications->User settings.
Is it still possible to get a user access token after an admin's
Yes, you can still get a user access token after an admin's approval.
In a callback after such a dialog how can we know that the admin
approval has been given?
Once your admin reviews the request you will be notified via email.
In cases where user-consent is not disabled but it's an admin user
that authorizes there is an option 'Consent on behalf of your
Organization". How can we know in the callback from this dialog that
the admin checked that box?
Once the admin checked the box, the users under that tenant will not see the consent dialog. Also, you can check the status of the application in Azure portal->App registrations->your app->API permissions.
There are two possible reasons users consent or adminconsent
For user consent two possible cases
1)In a tenant where user consent is disabled, for example, users can't consent to any permission. Azure AD-- > Enterprise apps ---> User settings ---> Users can consent to apps.
2) User assignment :Azure AD--- > Enterprise apps-- > (select app) --> Properties --> User assignment required
For Admin Consent two possible cases
1) App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.
2) Certain delegated permissions also require a tenant administrator’s consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administrator’s consent.
Solution :
The prompt=admin_consent parameter(which request permissions from admin) can be used as a parameter in the OAuth2/OpenID Connect authorization request to grant the admin consent .
Enable the admin consent workflow , which gives end users a way to request access to applications that require admin consent.
Refer the permissions documentation for the Microsoft Graph API indicate which permissions require admin consent.

Azure AD Enterprise apps, assigning users

i want to validate my understanding here.
I have an web application and register this app in Azure AD. In Enterprise applications, i assign a set of users to the app without granting consent for that users.
-> If that users login to the app, will that work? I think not, as no consent is granted. From my understanding, every user has to grant consent to the app (depending on what the app requires) or an admin has to grant consent for all users.
I heard something different, that it is enough to just add the users to the app. So please shed some light on that:)
In Enterprise applications, i assign a set of users to the app without granting consent for that users. -> If that users login to the app, will that work? I think not, as no consent is granted.
By default, even though you don't grant consent for the users, the users can still log in to the app.
Without any granting, the user can sign in and the app can read user profile, and this not requires admin.

Azure AD V1 endpoint registered native app: Graph API consent given but user can't get through

When registering a native application on the Azure AD 1.0 endpoint, and assigning Graph API permissions, it seems like consented permissions are 'cached' somewhere and can't be managed properly.
Example scenario:
Application registered and permission scopes (incl. ones requiring admin consent) assigned.
Administrator consents to the permission scopes
Simple user can use the app with consented permissions.
Permission scopes change (adding a new one for example)
Same admin doesn't get the consent form anymore
Simple user is stuck with "consent required, have an admin account?"
Another global admin must use the app for the first time to trigger the consent page.
Note that #7 doesn't always work; even if the other admin provides consent, simple users can't get through sometimes.
This is a multi-tenant application, yet when start using it in another tenant, I can not see its consented permissions in the AAD portal under enterprise applications.
Shouldn't permissions that have been consented to be listed in other tenants so that the admin can at least see what has been consented to?
Also, when I register an app on the V1.0 endpoint in my own tenant, I have an option to 'grant permissions' centrally, from the Azure AD portal for my tenant.
This option isn't available if I'm looking at an application that was registered in another tenant.
Am I overlooking something? Any help much appreciated.
When you change permissions, it does not automatically re-consent (for user or admin). You can find a detailed overview of this at Understanding user and admin consent.
You'll first need kick off the Admin Consent workflow. For a multi-tenant app this is done by adding prompt=admin_consent to your OAUTH URL and having an Admin authenticate.
Once that is done you can also force existing users to re-consent as well by adding prompt=consent to your Auth URL.

Applications created in v2 endpoint, how to grant admin consent for all users in my tenant

For v1 app registered in portal, you can 'Grant Permissions' to consent to an application's delegated permissions on behalf of all the users in your tenant. For an app registered in v2 endpoint, can only see it in the 'Enterprise Applications' tab and there is no option for 'grant permissions' in the permissions tab. How to get to the same goal that I do not want individually consent each user?
Edit: after make the adminconsent call,
This worked, (with only graph scope) profile email offline_access
This still give me a AADSTS90094 error and ask for admin consent, (with openid scopes) profile email offline_access
This issue happens only when I turn on 'User Assignment Required' flag
in azure portal, if that flag is disabled, users will be able to individually consent and login, no issues, however we need this flag since we do not want all our users in AD be able to use the app.
To request consent for all users in a tenant in Azure AD V2.0, your app can use the admin consent endpoint:
Please refer to docunment : Using the admin consent endpoint
The listings in the enterprise apps tab are all service principals rather than app registrations. These are apps that your tenant has signed into & consented thus provisioning the service principal into the tenant.
v2 apps are created and managed through the App Registration Portal; however, there is no equivalent functionality to Grant Permissions at this time. In order to perform admin consent in v2, you have to construct a request to Azure AD.
Just go to your browser and drop the following request (populated with your regisered apps Client/App ID & Redirect URI:{tenant}/adminconsent?client_id=<Client/App ID>&redirect_uri=<App's Redirect URI>&state=111

Azure AD prompt user/admin to re-consent after changing application permissions

I am building a SaaS app that will be authenticating users using Azure AD.
Let's say I am asking for just 1 delegated permission from user during consent prompt and user accepts it.
Later on my app evolves and need to get more delegated permissions. In that case how do I re-prompt the user with the consent page? I would like do this only once when the permissions are changing.
Do I need to track in my app what permissions each user has consented to and then determine to add the prompt=admin_consent query parameter while redirecting to the auth page?
The prompt=admin_consent is used when an administrator needs to provide consent for their organization. If you just require the users’s consent, you use prompt=consent.
Another way is that you can redirect to the login page to add the prompt parameter to re-consent when the app get the exception because the lack of permission to call the new API.
You could also consider use the V2.0 endpoint which support the incremental and dynamic consent.
Here is the document about Azure AD V2.0 endpoint for your reference.
