Azure AD admin consent required when it shouldn't

azure-active-directory
12,543

There are several potential problems with your setup:

  1. Your authorization request is set to a specific tenant, the one with tenantId d6ac45af-3289-4f79-a826-27824e1c467d. Only users from that tenant will be able to log in. If this tenantId corresponds to the one for your organization, where you manage users (A), then disregard this point. Otherwise you should either replace this with the tenantId of that tenant or with common which will allow users from any tenant to sign in.
  2. Your application is not multi-tenant. For testing purposes, I replaced the tenantId with common and wasn't able to use this with my test tenant due to the following error: AADSTS70001: Application with identifier 'd340f0ed-5eb3-43e8-9a50-c449649f3ee1' was not found in the directory <MY_TEST_TENANT>. This indicates that the application isn't configured as a multi-tenant application. This is something you must explicitly turn on.
  3. Your organization's tenant (A) might have disabled the ability for regular users to consent to applications. If this capability is disabled, admin consent is always required for the application to be set up in the tenant. To test to see if this is the case, address points #1 (use /common/) and #2 above and try with any other tenant. If you are able to consent with that other tenant but not your organization's tenant, then you'll know that admin consent is required for your organization.

You should check out the How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern article as it explains all of the points above in more detail.

Share:
12,543
Paolo Ramos
Author by

Paolo Ramos

Updated on June 17, 2022

Comments

  • Paolo Ramos
    Paolo Ramos about 2 years

    I have 2 tenants:

    • One for my organization, where I manage users (A)
    • One that I manage the applications and permissions (B)

    My webapp is on tenant A and I configured authentication on the portal using Azure AD on tenant B.

    On tenant B I registered the application with only one permission which does not require admin consent: Windows Azure Active Directory > Sign in and read user profile.

    enter image description here

    When the user logs in he gets the following error:

    AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

    I believe that this error should not be raised, since the only permission required by the application doesn't required admin.

    EDIT

    This is the URL that I am redirected to when I try to access the application when I'm not logged in

    https://login.microsoftonline.com/d6ac45af-3289-4f79-a826-27824e1c467d/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Ftechnipfmc-tools-app-test.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=d340f0ed-5eb3-43e8-9a50-c449649f3ee1&scope=openid+profile+email&response_mode=form_post&nonce=1895ec0ffef64447bbb712bdae61c7fb_20170521070654&state=redir%3D%252F

    EDIT 2

    I found out a solution here:

    As an administrator, you can also consent to an application's delegated permissions on behalf of all the users in your tenant. This will prevent the consent dialog from appearing for every user in the tenant. You can do this from the Azure portal from your application page. From the Settings blade for your application, click Required Permissions and click on the Grant Permissions button.

    I don't know why had to do that since I'm only using permissions that don't require admin consent.

  • Paolo Ramos
    Paolo Ramos about 7 years
    I checked that and Im not using this parameter
  • Shawn Tabrizi
    Shawn Tabrizi about 7 years
    Can you share an http trace of the call you are making?
  • Paolo Ramos
    Paolo Ramos about 7 years
    Do you mean the login URL?
  • Shawn Tabrizi
    Shawn Tabrizi about 7 years
    sure! I was looking for a little more of the trace, like acquiring the token as well...
  • Paolo Ramos
    Paolo Ramos about 7 years
    On point #1 when you say "Only users from that tenant will be able to log in", if I add a user from another tenant as a guest user (invitation) is he considered a user my tenant? The application is not supposed to be multitenant. All users will be managed by tenant B, where I will add users from other tenants as guest users (is this considered multitenant?)
  • Paolo Ramos
    Paolo Ramos about 7 years
    Please, check my second edit with the solution. But I don't understand why I had to do that
  • Paolo Ramos
    Paolo Ramos about 7 years
    Please, check my second edit with the solution. But I don't understand why I had to do that
  • Jurgen Cuschieri
    Jurgen Cuschieri over 4 years
    I am having a similar problem to op. I am using the common endpoint and the "multi-tenancy option" is explicitly turned on within the app registration. Your point 3 is interesting although I would have to check with the tenant facing the problem. Could this be happening specifically as Admin consent is always required in multi tenant environments?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to sign a Azure AD user into Firebase in a Flutter mobile app?
How to integrate Azure AD SSO in flutter app
Failure to generate access token using refresh token for O365 API
On premise Active Directory ObjectId is different than Azure Active Directory ObjectId
The client xxx with object id xxx does not have authorization to perform action Microsoft.Resources/subscriptions/resourcegroups/write' over scope
Check if username exist in Microsoft Azure Active Directory
Unable to resolve the OpenID Configuration with the provided Issuer of "https://login.microsoftonline.com/xxxxx/.well-known/openid-configuration"
Where is the OAuth access token stored in the browser in case of Authorization Code Grant flow
Azure AD B2C password expiration
AADSTS90102: 'redirect_uri' value must be a valid absolute Uri