I've got an app registered in Azure AD. And I've configured the connector in Auth0. When I push the 'Try It' button in Auth0, I'm prompted with
Neo Dev
Neo Dev needs permission to access resources in your organization that
only an admin can grant. Please ask an admin to grant permission to
this app before you can use it.
Have an admin account? Sign in with that account
Return to the application without granting consent
But in Azure AD I've already used the button labeled:
Grant consent
As an administrator, you can grant consent on behalf of all users
in this directory. Granting admin consent for all users means that
end users will not be shown a consent screen when using the application.
So obviously I'm missing something. Any ideas what I should check next?
I was able to get it to work by adding Directory.Read.All and User.Read from both Microsoft Graph permissions AND Legacy Azure Active Directory Graph permissions.
Related
I have an Enterprise Application which requires pretty nominal permissions:
I have already granted consent as an admin.
When a user tries to access the app and logs-in they get this message:
"needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it."
I don't want my users to see this message (they will call helpdesk or do the wrong thing).
I think the admin consent I provided above should be sufficient, so my questions are:
Is is possible to consent on behalf of the users
What settings to I need to change?
Yes, it is possible to consent on behalf of the users. To achieve the same you must have Global Administrator or Privileged Administrator role.
Go to Azure Portal -> Azure Active Directory -> Enterprise applications -> Consent and permissions - > User consent settings
Check if the below option is set to No in Enterprise Application Users settings:
References:
Grant tenant-wide admin consent to an application - Microsoft Entra | Microsoft Docs
Azure AD app Need admin approval error: App needs permission to access resources in your organization that only an admin can grant - Stack Overflow
I'm using OpenID Connect to authenticate users according to https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc. I registered application in Azure AD and there are following user consents defined:
The problem is that only 3 users are authenticated while others get error 90094 with message:
Need admin approval
App needs permission to access resources in your organisation that
only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
These 3 users who can sign-in are the ones who granted "Sign users in" and "Sign in and read profile" permissions (visible under "Granted By" column links on the screenshot) and this is the only difference in Azure configuration between them and the rest who cannot sign-in. All of users have been added to app through "Users and groups" page with the same roles. All users are from the same company's directory. Api permissions looks like following
Moreover I have setting
I don't know how to grant permissions to other users and I don't know how to extend list of permissions visible on the screenshot.
Any ideas?
I wonder if any changes in Azure Portal happened since November 2019 when I created and configured that app. There where no changes in my permissions since that time, so I didn't have more power that time. I've read various documentation on MSDN about consents and permissions but didn't find solution.
You are not the admin of your Azure AD tenant.
Please see this reference: Disable or enable user consent from the Azure portal.
I see that you have the setting: Users can consent to apps accessing company data on their behalf. But if you don't Enable the admin consent workflow, when the application is requesting permissions that the user is not allowed to grant, the users still can't consent to the apps by themselves.
Another method is that you need to use an admin account to log into Azure portal. And then grant admin consent for your tenant.
We have an account that is an Application Administrator, and with that account, we registered an App.
When attempting to add permissions both Application and Delegated, there would be a message saying it needs admin approval. When trying to give admin consent from the apps permissions page with the following image would pop up
The permissions we were attempting to give were:
-Microsoft Graph: Reports.Read.All
-Office 365 Management API: ServiceHealth.read
And these were both Application and Delegated
What Exactly is happening here?
Are we doing something wrong?
You need to login in your application with the Azure AD global admin account.(Application Administrator can not do this)
Or you can ask your Azure AD admin to grant admin consent on Azure portal.
Go to your application->API permissions-Grant consent.
We have configured an azure active directory application so that the users to our website can log in via their Microsoft accounts. The problem is that if we do not grant admin access then the Sign in to the application fails with the error code AADSTS650056:
Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration.
We are skeptical to click on "Grant admin consent" fearing that it may expose any vulnerability. Is this the right way to proceed? If not what are the alternatives so that this kind of consent is bypassed?
Each application registers permissions it requires. Some permissions can be granted by users, some other only by the administrator.
Let's suppose you have only permissions that can be consented by users. The first time they use the application, they'll be prompted (each user) to consent those permissions to the application.
If in the same scenario you click on grant admin consent, it is the equivalent of accepting it for all users on the tenant.
Now let's suppose the application registers permissions that require admin consent, you have no choice but to click that button if you want the application to work and be able to request tokens.
These permissions that require admin consent are permissions that either allow access to more or sensitive data in the organization.
I am just trying to do grant permission for my application after registering with Azure AD, but I am getting this error,
Failed to grant permission for application "".
Could somebody suggest me the reason?
The Grant permissions button does administrator consent for the tenant, so you should be an admin in the Azure AD tenant to do this.
Administrator consent means that no user will be asked for consent, and thus requires higher privileges.
Edit: this was possibly changed later so the button now does regular user consent if you are not an admin. Though if the tenant has user consent disabled, you'd get this or a similar error too.