In case of Azure app registration, add a scope, in who can consent; there are two options
"admin & user" and "admin only"
What is the difference between two? which one to choose and when?
Scopes are the permissions that a web API exposes for client applications to request access to. Client applications request the user's consent for these scopes when making authentication requests to get tokens to access the web APIs.
Admin Only consent
This consent can only be given by Global Administrator.
Only admin has the permissions to alter the other objects.
When you select admin-only consent, it means that only admins can grant the consent for users. Till then, users have to wait for admin's approval.
When admin consent is selected, your users will get a message like this:
To grant that consent, admins will get a screen like this:
Admin & user consent
When you select admin & user consent, it means that this scope is meant not only for administrators but also for users.
This means there is no need for administrators to grant the consent, the users can consent themselves.
When to use and what to use:
Select Admins only for higher-privileged permissions to make your application more secure.
Select Admins & users if you don't want your users to wait for admin approval.
Reference:
Configuring Scopes in Azure Active Directory (Part 1) - DEV Community
Understanding Azure AD application consent
Related
Does anyone knows how to fix this, on my case no problem with login however, there are users who can't log in need admin permissions we are in the same tenant.
this is the screenshot of login needs admin approval
You can access the Xamarin app without admin consent because you have the admin consent enabled for you or you may be the administrator for that application/tenant. Thus, for the other users in your tenant to allow access to the Xamarin application, please follow the steps below: -
Go to your Azure AD --> Enterprise Applications --> User settings --> Admin consent requests --> Users can request admin consent to apps they are unable to consent to --> Yes
Then under the section ‘Who can review admin consent requests’, select the users and groups who can review the admin consent for the application (you can select the users themselves if you want them to access without actual/designated admin consent) and set the number of days for which the consent would remain valid and then it expires. Thus, this will ensure that users in your tenant will not receive the admin consent prompt while accessing the application.
Also, ensure that the option ‘Allow user consent for apps’ in User consent settings in Consent and permissions section in Enterprise Applications is selected for admin consent to permanently remove for all applications in your tenant. Please find the below screenshots for your reference: -
I have a question regarding a multi-tenant App Registration in Azure AD. The first time a user logs in through the app it will ask him to grant his consent to access some of his data if necessary or ask an administrator to grant a tenant level consent. This is just fine.
But what if a change is made to the App Registration (Logout URL modified for example)? Is it possible that the users that never used the app registration already will need to grant their consent or that a tenant administrator might need to give his consent again?
Changing your redirect URLs or logout URL will not cause the consent to be prompted for again.
Changing the configured permissions also won't cause users who have already granted consent to have to grant consent again (but the app will only have the permissions it had been originally granted).
Users will only be prompted for consent in the following situations:
If your application dynamically requests a permissions which has not been granted (e.g. scope=https://graph.microsoft.com/Mail.Read, if Mail.Read has not been granted.
If your application requests access to ".default" for a resource, and no permissions have been granted for that resource. For example, if you application requests scope=https://graph.microsoft.com/.default and no delegated permissions for Microsoft Graph have been granted, the user will be prompted for consent (for all permissions configured in the app registration). If any permission for the requested resource have been granted, the user will not be prompted for consent.
If your application forces user consent using prompt=consent. Don't do this—there is almost no situation where this is necessary. (Read a lot more on this at https://stackoverflow.com/a/60151790/325697.)
Yes. If you modify properties such as redirect url, permissions, logout url and so on, you have to make admins from other tenant do the admin consent again to make it effective.
Using admin consent url is the quickest way:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
As you see my new registered app registration it's an app that only requires users to login.
Anything beyond the minimal requirements to work. I don't configured it to request any special sort of permission
When i Try lo login this message appears
"Application needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it"
Why? The permissions the app is requesting are just basic ones . I don't understand why an admin consent is required.
Many thanks
There are two possible reasons why users can't consent to User.Read:
User consent is disabled or restricted. Each customer can choose to disable or limit user consent to applications. In a tenant where user consent is disabled, for example, users can't consent to any permission.
Azure AD > Enterprise apps > User settings > Users can consent to apps...
The app requires assignment. When an application is configured to require assignment for users to be able to sign in, users are not allowed to consent to that application.
Azure AD > Enterprise apps > (select app) > Properties > User assignment required?
Most possible reasons for any administrator consented issue,
App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.
Certain delegated permissions also require a tenant administrator’s consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administrator’s consent.
Possible Solutions,
The prompt=admin_consent parameter(which request permissions from admin) can be used as a parameter in the OAuth2/OpenID Connect authorization request to grant the admin consent .
Enable the admin consent workflow , which gives end users a way to request access to applications that require admin consent.
Refer the permissions documentation for the Microsoft Graph API indicate which permissions require admin consent.
Please refer admin consent endpoint for more details.
I'm hoping someone has some insight into an issue I'm having with a newly registered app within Microsoft's Azure Portal (portal.azure.com).
My issue on login when I get the following dialog
The error code and message appears in the lower right corner;
AADSTS90094: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
Configuration-wise, I believe I have this setup to not require admin consent, however there maybe something I'm missing.
My app is configured with;
Id Token, single tenant (web) application
Delegated, user consent permissions with no admin permissions
With the enterprise application, the configuration is set to;
Enabled for users to sign-in: Yes
User assignment required: Yes
Visible to users: Yes
4 users have been added with the Default Access role
Allow users to request access to this application: No (as they are assigned)
Last of all, within the azure directory itself under the Enterprise applications - User settings configuration I have set the company data user consent to Yes
When I navigate to either my application URL, or from the app within myapps.microsoft.com, both give me the above dialog requesting an admin consent.
I don't want to grant admin consent if not required, as it seems a bit like using a sledgehammer to solve the problem.
I feel like I'm either missing something big, or doing something silly - please help, and let me know if I can provide further information.
Edit 1.1:
My authentication request URL is: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<clientid>&redirect_uri=<redirecturi>&response_mode=form_post&response_type=code id_token&scope=openid email profile offline_access User.Read User.ReadBasic.All Mail.ReadWrite&state=OpenIdConnect.AuthenticationProperties=<gibberish>&nonce=<gibberish>&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0
(I'm using ASP.NET MVC combined with Microsoft's OpenId Connect authentication library)
When a user consents to an application which does not require assignment (in a tenant where user consent is allowed, and for an application requesting only permissions which do not require admin consent), two things happen:
Consent grants are recorded for the app, the user and the delegated permissions being requested.
The user is assigned to the app at a "default" app role.
The second step may seem surprising, but it serves a simple role: it ensures the user sees apps they've consented to in the Azure AD Access Panel (https://myapps.microsoft.com). (The Azure AD Access Panel will show a user all apps they are assigned to.)
It would defeat the purpose of the "user assignment is required" control if users could cause themselves to be assigned by triggering user consent. So, currently, when an application is set to require user assignment, users are simply not allowed to consent to the application.
Today, you have two options:
Ask an admin to grant tenant-wide consent for the application (e.g. Enterprise apps > Permissions > Grant admin consent, or App Registrations > API Permissions > Grant admin consent).
Configure the app to not require user assignment, and update the app's code to require the user be assigned to an app role by checking the "roles" claim.
Using Azure Active Directory in a multi-tenant environment.
Admin has given consent to the application for all users to log on.
Users have been restricted from consenting.
After admin has given consent users are still not able to log on and receive the "AADSTS90093: Does not have access to consent." error.
The way in which you did admin consent was probably erroneous or you were not signed into an admin account. Try out one of these two ways:
Inside the Azure Portal, login to an admin account, go to the App Registration blade, select your app, and hit the Grant Permissions button.
Construct a new auth request and append on &prompt=admin_consent.
This error is caused when your app is requesting an admin-restricted scope. These are scopes that require an admin to consent on behalf of their users.