I have been working to allow an Azure enterprise app (say 'ABCD') of an external business application to access all mailboxes of my O365 tenant.So, I basically logged on using my EXO admin account and then accepted the admin consent as in the screen below.
When I think further, I have the following questions:
I can see the app 'ABCD' when I logged onto 'https://myapps.microsoft.com' using my admin account. I also have the option to remove the 'ABCD' app in 'https://myapps.microsoft.com'. If I really do so, does it actually remove the whole tenant access from the 'ABCD' app or does it just remove the 'ABCD' app from accessing my mailbox?
Because I used my admin account to accept the admin consent, what will happen if my admin account was deleted?
Dumber question: what about if I change my admin account password? (I guess it should not matter).
Does anyone know the answer?
Related
I created an SSO application in the azure portal. As a global administrator I signed to my application with sso and I'm able to fetch the access token and graph details.
In our organization we need to allow few users to use this application. So I added their emails to the 'Users and Groups' in Azure portal. So When the users signed in,they allowed the consent permissions and then the below window appears. May I know the reason?
Is this normal or any kind of bug from side?
Is this window appear everytime once the user got approval ?
Please help me to solve this as I am going through a tough time.
It is not a bug and it is Admin Consent. You as a global
Administrator need to approve the concern from azure AD.
This window will appear only once and it will not appear once user log-in after consent next time.
Please go through Ms Document which has information of configuring Admin Consent.
It seems you are trying to use application permissions, since both shown permissions do not require admin consent for delegated permissions scenarios.
You can read about permission types at https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#permission-types
If you want to review the configuration of your application you can turn to Azure AD. On page https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/YOURAPPID/isMSAApp/ (replace YOURAPPID with your app id) you should see something similar to this:
If you at (1) have any of type "Application", these will require admin consent.
Regardless of whether you have any of such, you (required admin privileges) can grant application consent for the tenant using the button at (2).
I created an app in azure and authenticating using AAD ,but when users try to log in they keep getting message admin approval required But no matter how I configure the application in the Azure Portal, I'm always receiving the following message after I've logged in with a normal user but an admin can login without the app showing the error,:
My Enterprise applications | User settings
My API permissions
I need my users to just login normally like the admin, what am I doing wrong?
This question has been resolved by #juunas comment, post it as an answer to close the question.
If you are using /common or /organizations as the authority in the
app, the user will authenticate against their home tenant. It might be
what is happening here. Your tenant's settings will not apply there,
and they may be required to give admin consent.
The solution is to set the admin consent to: "Yes"
I'm hoping someone has some insight into an issue I'm having with a newly registered app within Microsoft's Azure Portal (portal.azure.com).
My issue on login when I get the following dialog
The error code and message appears in the lower right corner;
AADSTS90094: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
Configuration-wise, I believe I have this setup to not require admin consent, however there maybe something I'm missing.
My app is configured with;
Id Token, single tenant (web) application
Delegated, user consent permissions with no admin permissions
With the enterprise application, the configuration is set to;
Enabled for users to sign-in: Yes
User assignment required: Yes
Visible to users: Yes
4 users have been added with the Default Access role
Allow users to request access to this application: No (as they are assigned)
Last of all, within the azure directory itself under the Enterprise applications - User settings configuration I have set the company data user consent to Yes
When I navigate to either my application URL, or from the app within myapps.microsoft.com, both give me the above dialog requesting an admin consent.
I don't want to grant admin consent if not required, as it seems a bit like using a sledgehammer to solve the problem.
I feel like I'm either missing something big, or doing something silly - please help, and let me know if I can provide further information.
Edit 1.1:
My authentication request URL is: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<clientid>&redirect_uri=<redirecturi>&response_mode=form_post&response_type=code id_token&scope=openid email profile offline_access User.Read User.ReadBasic.All Mail.ReadWrite&state=OpenIdConnect.AuthenticationProperties=<gibberish>&nonce=<gibberish>&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0
(I'm using ASP.NET MVC combined with Microsoft's OpenId Connect authentication library)
When a user consents to an application which does not require assignment (in a tenant where user consent is allowed, and for an application requesting only permissions which do not require admin consent), two things happen:
Consent grants are recorded for the app, the user and the delegated permissions being requested.
The user is assigned to the app at a "default" app role.
The second step may seem surprising, but it serves a simple role: it ensures the user sees apps they've consented to in the Azure AD Access Panel (https://myapps.microsoft.com). (The Azure AD Access Panel will show a user all apps they are assigned to.)
It would defeat the purpose of the "user assignment is required" control if users could cause themselves to be assigned by triggering user consent. So, currently, when an application is set to require user assignment, users are simply not allowed to consent to the application.
Today, you have two options:
Ask an admin to grant tenant-wide consent for the application (e.g. Enterprise apps > Permissions > Grant admin consent, or App Registrations > API Permissions > Grant admin consent).
Configure the app to not require user assignment, and update the app's code to require the user be assigned to an app role by checking the "roles" claim.
I have an existing web app which I am trying to add Office 365 integration. I want all users to be able to log in with OAuth2, and admin users to be able to read users from the directory.
So I created an Azure AD app, and granted the "Enable sign-on and read users profiles" and "Read directory data" delegate permissions.
When an O365 admin user logs in, it works as expected. But when a O365 non-admin user logs in, they get the error "AADSTS90093: Calling principal cannot consent due to lack of permissions.".
After much trial and error (the docs are anything but clear), I figured that I need to append prompt=admin_consent to the auth url. By appending this to the auth URL, if I log in with an admin, then subsequent non-admin logins work as expected.
The problem is, that I don't know whether the user about to click the "Login with Office 365" button on my login page is an admin or not. It seems that the first person who logs into the app from the O365 domain MUST be a O365 admin, AND the auth url MUST have prompt=admin_consent. If a non-admin tries to login BEFORE an admin does, then they get the AADSTS90093 error, and there doesn't seem to be any way for my app to gracefully handle this scenario. Even worse - they can't log in at all.
What I really need here, is to have 1 login button, that will log non-admin users in but without access to the directory, and will log admin users in with access to the directory, but this doesn't seem to be possible. Google have the concept of scopes, but this seems absent from Microsofts implementation.
I see 2 potential solutions, neither of which are great:
Add a checkbox on the login page labelled "Log in as Office 365 Administrator". If this is checked, then I append the prompt=admin_consent to the auth url. The problem with this (aside from cluttering up my login page), is that it doesn't cater for non-admins trying to log in before an admin has. So most users still aren't able to log in - not great.
Create 2 Azure AD apps. One with both "Enable sign-on and read users profiles" and "Read directory data" permissions, and the other with just the "Enable sign-on and read users profiles" permission. The login page is linked to the first app, which would allow both admin and non-admin users to log in at any time. Then, on a config page in my app, I have an option to "Complete integration with O365", which presents a link to authenticate with the 2nd AAD app. This way, I can guarantee all users can perform basic log in, and I can integrate with the directory and calendar when an admin clicks the 2nd button. The downside of this, is that even if the first user to log in is an o365 admin, I won't be able to access the directory until the second auth has been completed. And secondly, my app will appear twice in the customers AAD applications list.
It seems like I am trying to achieve such a trivial thing here - to be able to log all users in, but if an admin logs in then they can access the directory. So how do you achieve this with AAD apps?
Your solution #1 is the one we recommend in our samples, take for example https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet and the sign up controllers. As of today consent in Azure AD is an "all-or-nothing" package deal, hence apps that require admin consent must be first approved by an administrator. We are working on making the consent dynamic, thanks to which you'll be able to sign in non-admin users without directory querying powers and defer that ability until an admin grants consent - but that's still quite some time out hence for the time being #1 is the supported approach.
if your app requests permissions that requires tenant admin consent, then only a tenant admin can actually grant those permissions, and thus you will see errors like the one you are having.
You can resolve your issues by reducing the permissions requested by your application to only those which a normal user can consent to.
Also make sure you are not passing the query parameter "&prompt=admin_consent" as this can only be done by an admin.
https://www.gittprogram.com/question/3306112_aadsts90093-calling-principal-cannot-consent-due-to-lack-of-permissions.html
I have currently set up a AAD instance and I am authenticating my users against it via my web app, and it’s working great.
When I added and configured the application on AAD, I added the required Application and Delegated Permissions to access the Office365 Calendar API. However, the only thing that is missing is that during the login flow users aren’t being prompted to grant consent for the permissions, as it should happen from what I’ve read in your docs: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Consent
I’m not sure what I’m missing. Apparently, from the docs,
After the user has signed in, Azure AD will determine if the user
needs to be shown a consent page. This determination is based on
whether the user (or their organization’s administrator) has already
granted the application consent. If consent has not already been
granted, Azure AD will prompt the user for consent and will display
the required permissions it needs to function. The set of permissions
that is displayed in the consent dialog are the same as what was
selected in the Permissions to other applications control in the Azure
Management Portal.
So maybe somehow I have already probably implicitly granted admin consent for those permissions, but I don’t know how that happened.
I've attached the permissions I configured on the AAD App.
Any help would be appreciated.
If an admin creates an application in their tenant using the AUX portal (manage.windowsazure.com), and requests permissions to other applications, then users in that same tenant are pre-consented for that application. Note this behavior is NOT true for our other App Registration Portals (portal.azure.com or identity.microsoft.com)
I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. If you would like to push the consent dialogue experience, there are a few different things you can do:
You can use query strings to prompt "consent" or "admin_consent" during login. Check here: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
You can delete the service principal for your application from your tenant using AAD PowerShell. You can learn how to do that here: https://msdn.microsoft.com/en-us/library/azure/dn194113.aspx
You can have a user from another tenant try to login to your multi-tenant application.
You can create your application under a non-admin account.
I hope this helps!
Shawn Tabrizi
Try this:
What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification
Changing the resource parameter to https://graph.windows.net did the trick for me.
Furthermore, Microsoft support suggests disabling all permissions except "Enable sign-on and read users' profiles", apparently to avoid permission related problems. I understand that this is not a solution in your case, but at least it gives you a test case.