In the AAD there is no predefined administrator role that gives a user the right to manage only guest users. There is the "user administrator", but it can manage all users and not only guest users. Then there is the "guest inviter", which only has the right to invite guest users, but not to manage all aspects of them.
Is there a way to create a custom administrator role that has these rights?
The reason for this is that we have implemented a partner portal in SharePoint in my company. Our partners access the corresponding SharePoint pages via guest accounts. Therefore our partner managers should be able to manage only these partner/ guest users. They could do this via the AAD admin center, if there would be a suitable administrator role for it.
Is there a way to create a custom administrator role that has these
rights?
Currently, the answer is no.
Now only permissions for Application registrations are supported in custom roles. More permissions are coming soon.
Related
I have an Enterprise Application which requires pretty nominal permissions:
I have already granted consent as an admin.
When a user tries to access the app and logs-in they get this message:
"needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it."
I don't want my users to see this message (they will call helpdesk or do the wrong thing).
I think the admin consent I provided above should be sufficient, so my questions are:
Is is possible to consent on behalf of the users
What settings to I need to change?
Yes, it is possible to consent on behalf of the users. To achieve the same you must have Global Administrator or Privileged Administrator role.
Go to Azure Portal -> Azure Active Directory -> Enterprise applications -> Consent and permissions - > User consent settings
Check if the below option is set to No in Enterprise Application Users settings:
References:
Grant tenant-wide admin consent to an application - Microsoft Entra | Microsoft Docs
Azure AD app Need admin approval error: App needs permission to access resources in your organization that only an admin can grant - Stack Overflow
I'm using OpenID Connect to authenticate users according to https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc. I registered application in Azure AD and there are following user consents defined:
The problem is that only 3 users are authenticated while others get error 90094 with message:
Need admin approval
App needs permission to access resources in your organisation that
only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
These 3 users who can sign-in are the ones who granted "Sign users in" and "Sign in and read profile" permissions (visible under "Granted By" column links on the screenshot) and this is the only difference in Azure configuration between them and the rest who cannot sign-in. All of users have been added to app through "Users and groups" page with the same roles. All users are from the same company's directory. Api permissions looks like following
Moreover I have setting
I don't know how to grant permissions to other users and I don't know how to extend list of permissions visible on the screenshot.
Any ideas?
I wonder if any changes in Azure Portal happened since November 2019 when I created and configured that app. There where no changes in my permissions since that time, so I didn't have more power that time. I've read various documentation on MSDN about consents and permissions but didn't find solution.
You are not the admin of your Azure AD tenant.
Please see this reference: Disable or enable user consent from the Azure portal.
I see that you have the setting: Users can consent to apps accessing company data on their behalf. But if you don't Enable the admin consent workflow, when the application is requesting permissions that the user is not allowed to grant, the users still can't consent to the apps by themselves.
Another method is that you need to use an admin account to log into Azure portal. And then grant admin consent for your tenant.
I am a developer working on an application that will access O365 data via the Graph API. I have registered an application under my company account. I have authentication working on a per-user basis. Now I am trying to get it to work so that a tenant administrator can grant permission to my application for data access on an organization-wide basis. I have this working as well - I used the /adminconsent endpoint to bring the administrator to a page where he granted the consent.
What I am wondering about is the line in the documentation that says "You can rely on an administrator to grant the permissions your app needs at the Azure portal". I am trying to figure out what that procedure is so I can document it for admin users. I thought perhaps it was to go to App Registrations - there I see an option to create a new registration. But this has it's own Client Id. Don't I somehow have to give it the Client Id of my own application? Or is the idea that the tenant admin will supply the Client Id of his app to my app? Or am I in the wrong area altogether?
BTW in case it is relevant, I am not using any authentication library, just making direct http calls from a C++ program running on the Windows desktop.
Per my understanding, your application is an multi-tenant application. Only you or the administrators in your tenant can grant the permissions to your application. The administrators from other tenants can grant consent to use your application, but they can not control the permissions.
Update:
You can grant admin consent by calling admin consent endpoint.
https://login.microsoftonline.com/common/v2.0/adminconsent?
client_id={your_tenant_client_id}
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope=
https://graph.microsoft.com/.default
If you want to grant admin consent via Azure portal. The application must already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application.
I have a protected API, where 3rd parties B2B users and daemon services can access.
Can the 3rd party somehow manage permissions to my API by forwarding claims during authentication?
I don’t want to provide a management interface of permissions for users, if they can manage it in their own Azure tenant.
I afraid the answer is no.
As the users access your application as B2B users, I suppose your application is single tenant application. If so, the guest users will access your application in your tenant directly. Your application won't exist in guest users' tenants.
Even if your application is multi-tenant application and your application exists under external users' tenant, they will also unable to manage the permissions themselves.
It is possible through Application Roles.
We have configured an azure active directory application so that the users to our website can log in via their Microsoft accounts. The problem is that if we do not grant admin access then the Sign in to the application fails with the error code AADSTS650056:
Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration.
We are skeptical to click on "Grant admin consent" fearing that it may expose any vulnerability. Is this the right way to proceed? If not what are the alternatives so that this kind of consent is bypassed?
Each application registers permissions it requires. Some permissions can be granted by users, some other only by the administrator.
Let's suppose you have only permissions that can be consented by users. The first time they use the application, they'll be prompted (each user) to consent those permissions to the application.
If in the same scenario you click on grant admin consent, it is the equivalent of accepting it for all users on the tenant.
Now let's suppose the application registers permissions that require admin consent, you have no choice but to click that button if you want the application to work and be able to request tokens.
These permissions that require admin consent are permissions that either allow access to more or sensitive data in the organization.