So I have registered a new multi-tenant AAD application but trying to log in using the same account I created it with gives me the error
MSAL.Desktop.4.5.0.0.MsalServiceException:
ErrorCode: invalid_client
Microsoft.Identity.Client.MsalServiceException:
AADSTS650051: "Using application 'TestApplication' is currently not supported for your organization sample-company.ch because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of sample-company.ch before the application TestApplication can be provisioned."
The domain name in question is already verified, so im not sure whats wrong here. After registering the app I just followed their Windows Desktop App Quickstart Guide and tried logging in with their sample project
https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2/
Any help would be appreciated
Since your application is for multi-tenant, you probably didn't do user or admin consent for the target tenant.
Try to add &prompt=admin_consent in your request to force admin consent. Log in with an admin account to do admin consent.
Please see details from Understand user and admin consent.
Related
we have a website that was developed in C# using ASP.NET Web Forms ans is working well,
the thing is that it works with an internal (of the company) authentication, and that kind of authentication will soon expire,
so I have been asked to develop an Azure AD one, but when testing we receive this error
to develop the Azure Authentication, we followed some guides like 1st link
I know that this issue has been reported many times before but Azure AD is continuously evolving so a guide from the beginning of 2021 for example is hard to apply it at the end of 2022
and thanks in advance
PS: if you need any complementary document that I can provide, just ask
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the Admin Consent is not consented to the API Permissions you have granted to the Azure AD Application.
Make sure to grant the Admin Consent to the API Permissions like below:
Go to Azure Portal -> Azure Active Directory -> API Permissions -> Grant Admin Consent
You can use the below endpoint and sign in as Global Admin and Accept the consent on behalf of organization like below:
https://login.microsoftonline.com/TenantID/adminconsent?client_id=ClientID
Otherwise, you can allow users to consent to the Application like below:
Go to Azure Portal -> Enterprise Application -> User Settings -> Go to Consent and permissions
I am trying to access my web api written in .Net Core from a ReactJs client application. I have registered both the application in Azure AD and given Admin Consent to the Web API in ReactJs API Permission section. Even after configuring this I am getting invalid_grant: AADSTS65001: The user or administrator has not consented to use the application
Can any please help me regarding this please. How should I connect to the web api.
To resolve the error "invalid_grant: AADSTS65001: The user or administrator has not consented to use the application", try the following:
Make sure to have Global admin role and grant admin consent for the below API permissions of your application:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your app -> API permissions -> Add permissions
After granting admin consent, please check whether the status turned green or not.
Make sure whether the below options are checked or not in your authentication tab like below:
If still the issue persists, make use of below document if helpful:
4 ways to fix error AADSTS65001 (issues with Admin Consent!) - #SharePointProblems / Koskila.net
I have created an Azure AD app registration for a cross-platform (Xamarin.Forms) mobile application for our employees. The app registration is setup to work as a single-tenant app and in order to function properly, we have specified a number of permissions to Microsoft Graph, such as "openid", "profile", and "User.Read", which have been given admin consent by our Admin. The app uses broker authentication (using ADAL) in order to sign-in users to the app via the Intune Company Portal app already installed and setup on every user's device.
Up until recently, everything worked fine until we needed to add a new Microsoft Graph permission to the app registration, namely "Group.Read.All". So, we added the new permission to our app registration as a delegated permission and had our admin provide the admin consent for all the users.
After giving consent to the new permission, our users could not login to the app since the Intune Company Portal app did not sign-in the users to the app, but instead advised them to setup their device by installing and setting up the Intune Company Portal app on their device (?!).
As I mentioned before, the devices already had Intune Company Portal installed and properly setup on their device for more than 2 years now.
So, we thought of checking the user sign-ins of the user to find out what the problem was and we found a failure event recorded with sign-in error code 530003 (Access has been blocked due to conditional access policies.) where it showed that the policy "Access Policy: Require Device Enrollment for Accessing EOL & Sharepoint from handheld devices" failed with reason "require compliant device" (under column Grant Controls).
As soon as we revoked the newly added permission "Group.Read.All" from the app registration, our users could sign-in to the app successfully.
When we tried adding other permissions like Directory.Read.All and GroupMember.Read.All, we did not have any issues with our sign-in flow via the Intune Company Portal.
Can you please advise what it is so special about the "Group.Read.All" permission that raises the Azure sign-in error code 530003, forcing the Intune Company Portal app to require the users to setup their (already setup) device, before they can sign-in to our app?
I am at my wits' end with this one.
Any ideas?
For me it is not possible to reproduce your issue due to multiple things involved.
Few suggestions that you could try at your end:
Try isolate each component and leverage graph explorer/postman to make an API call and observe behavior.
I didn't get the need to add graph permission, but as per your use case see if there is any other least privileged permission that could get your job done, add that permission and check behavior.
Check if your scenario really demanded adding permission as delegated and if this is really supported? For e.g, below image shows necessary permssion to get the properties and relationships of a group object.
If problem still persists, consider contacting Microsoft support for your specific scenario.
We are trying to call a web api hosted in azure app service from SPFX react webpart using aadhttpclientfactory.
We are receiving the below error.
Error: Error - Type : interaction_required - Description : AADSTS65001: The user or administrator has not consented to use the application with ID <> named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource.
Please suggest the process to resolve the above issue.
Thanks in advance.
You need to consent to use the application. Go to azure portal->Azure Active Directory->App registrations->find your application->Api permissions->click Grant admin consent button(remember to login with the admin account)
If the permissions does't require admin consent, you can also use individual user consent which doesn't need admin permission.
We have created a converged application for a public community(AD & live users can login) using Microsoft Graph and the scopes openid, email, profile and user.readBasic.all.
Every thing works fine for live users but some of AD users are not able to login. When they try to login they get the message as
"App needs permission to access resources in your organization that
only an admin can grant. Please ask an admin to grant permission to
this app before you can use it."
as per Microsoft document we have prepared admin consent url as
https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&prompt=admin_consent
After admin consent also users are not able to login to the app. Please help us what we are missing here.
Your URL is for the v1 Endpoint, not the v2 Endpoint (aka converged endpoint).
It should look like this (line break for readability):
https://login.microsoftonline.com/common/adminconsent?
client_id=[APPLICATION ID]&redirect_uri=[REDIRECT URI]
Note that is it /adminconsent rather than /authorize and there isn't a prompt query parameter. Also keep in mind that you'll need to ensure your registration includes the scopes you want the consent for.
I've written an article that walks you through the entire process that should prove helpful here: v2 Endpoint and Admin Consent