Does anyone knows how to fix this, on my case no problem with login however, there are users who can't log in need admin permissions we are in the same tenant.
this is the screenshot of login needs admin approval
You can access the Xamarin app without admin consent because you have the admin consent enabled for you or you may be the administrator for that application/tenant. Thus, for the other users in your tenant to allow access to the Xamarin application, please follow the steps below: -
Go to your Azure AD --> Enterprise Applications --> User settings --> Admin consent requests --> Users can request admin consent to apps they are unable to consent to --> Yes
Then under the section ‘Who can review admin consent requests’, select the users and groups who can review the admin consent for the application (you can select the users themselves if you want them to access without actual/designated admin consent) and set the number of days for which the consent would remain valid and then it expires. Thus, this will ensure that users in your tenant will not receive the admin consent prompt while accessing the application.
Also, ensure that the option ‘Allow user consent for apps’ in User consent settings in Consent and permissions section in Enterprise Applications is selected for admin consent to permanently remove for all applications in your tenant. Please find the below screenshots for your reference: -
Related
In case of Azure app registration, add a scope, in who can consent; there are two options
"admin & user" and "admin only"
What is the difference between two? which one to choose and when?
Scopes are the permissions that a web API exposes for client applications to request access to. Client applications request the user's consent for these scopes when making authentication requests to get tokens to access the web APIs.
Admin Only consent
This consent can only be given by Global Administrator.
Only admin has the permissions to alter the other objects.
When you select admin-only consent, it means that only admins can grant the consent for users. Till then, users have to wait for admin's approval.
When admin consent is selected, your users will get a message like this:
To grant that consent, admins will get a screen like this:
Admin & user consent
When you select admin & user consent, it means that this scope is meant not only for administrators but also for users.
This means there is no need for administrators to grant the consent, the users can consent themselves.
When to use and what to use:
Select Admins only for higher-privileged permissions to make your application more secure.
Select Admins & users if you don't want your users to wait for admin approval.
Reference:
Configuring Scopes in Azure Active Directory (Part 1) - DEV Community
Understanding Azure AD application consent
From my frontend application, when I request an access token I pass two scopes that need to be returned with the token.
I did not grant the application these consent in the Azure Portal. Instead the user has to explicitely give consent from the popup window.
Once the user has granted consent, I get the access token with the required scopes.
But how do I revoke consent from the Azure Portal ? And how can I see which user has granted consent ?
You can go to Enterprise Applications -> Find your app -> Permissions tab -> User consent tab.
There you can see which permissions users have consented to, for example:
You can then click Review permissions -> This app has more permissions than I want.
This will give you a PowerShell script that you can run to remove all user consent for that app. It can of course be customized to only remove certain permissions.
Currently there is no UI features to remove consented permissions, PowerShell/Graph API is the only way.
As you see my new registered app registration it's an app that only requires users to login.
Anything beyond the minimal requirements to work. I don't configured it to request any special sort of permission
When i Try lo login this message appears
"Application needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it"
Why? The permissions the app is requesting are just basic ones . I don't understand why an admin consent is required.
Many thanks
There are two possible reasons why users can't consent to User.Read:
User consent is disabled or restricted. Each customer can choose to disable or limit user consent to applications. In a tenant where user consent is disabled, for example, users can't consent to any permission.
Azure AD > Enterprise apps > User settings > Users can consent to apps...
The app requires assignment. When an application is configured to require assignment for users to be able to sign in, users are not allowed to consent to that application.
Azure AD > Enterprise apps > (select app) > Properties > User assignment required?
Most possible reasons for any administrator consented issue,
App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.
Certain delegated permissions also require a tenant administrator’s consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administrator’s consent.
Possible Solutions,
The prompt=admin_consent parameter(which request permissions from admin) can be used as a parameter in the OAuth2/OpenID Connect authorization request to grant the admin consent .
Enable the admin consent workflow , which gives end users a way to request access to applications that require admin consent.
Refer the permissions documentation for the Microsoft Graph API indicate which permissions require admin consent.
Please refer admin consent endpoint for more details.
I'm hoping someone has some insight into an issue I'm having with a newly registered app within Microsoft's Azure Portal (portal.azure.com).
My issue on login when I get the following dialog
The error code and message appears in the lower right corner;
AADSTS90094: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
Configuration-wise, I believe I have this setup to not require admin consent, however there maybe something I'm missing.
My app is configured with;
Id Token, single tenant (web) application
Delegated, user consent permissions with no admin permissions
With the enterprise application, the configuration is set to;
Enabled for users to sign-in: Yes
User assignment required: Yes
Visible to users: Yes
4 users have been added with the Default Access role
Allow users to request access to this application: No (as they are assigned)
Last of all, within the azure directory itself under the Enterprise applications - User settings configuration I have set the company data user consent to Yes
When I navigate to either my application URL, or from the app within myapps.microsoft.com, both give me the above dialog requesting an admin consent.
I don't want to grant admin consent if not required, as it seems a bit like using a sledgehammer to solve the problem.
I feel like I'm either missing something big, or doing something silly - please help, and let me know if I can provide further information.
Edit 1.1:
My authentication request URL is: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<clientid>&redirect_uri=<redirecturi>&response_mode=form_post&response_type=code id_token&scope=openid email profile offline_access User.Read User.ReadBasic.All Mail.ReadWrite&state=OpenIdConnect.AuthenticationProperties=<gibberish>&nonce=<gibberish>&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0
(I'm using ASP.NET MVC combined with Microsoft's OpenId Connect authentication library)
When a user consents to an application which does not require assignment (in a tenant where user consent is allowed, and for an application requesting only permissions which do not require admin consent), two things happen:
Consent grants are recorded for the app, the user and the delegated permissions being requested.
The user is assigned to the app at a "default" app role.
The second step may seem surprising, but it serves a simple role: it ensures the user sees apps they've consented to in the Azure AD Access Panel (https://myapps.microsoft.com). (The Azure AD Access Panel will show a user all apps they are assigned to.)
It would defeat the purpose of the "user assignment is required" control if users could cause themselves to be assigned by triggering user consent. So, currently, when an application is set to require user assignment, users are simply not allowed to consent to the application.
Today, you have two options:
Ask an admin to grant tenant-wide consent for the application (e.g. Enterprise apps > Permissions > Grant admin consent, or App Registrations > API Permissions > Grant admin consent).
Configure the app to not require user assignment, and update the app's code to require the user be assigned to an app role by checking the "roles" claim.
Using Azure Active Directory in a multi-tenant environment.
Admin has given consent to the application for all users to log on.
Users have been restricted from consenting.
After admin has given consent users are still not able to log on and receive the "AADSTS90093: Does not have access to consent." error.
The way in which you did admin consent was probably erroneous or you were not signed into an admin account. Try out one of these two ways:
Inside the Azure Portal, login to an admin account, go to the App Registration blade, select your app, and hit the Grant Permissions button.
Construct a new auth request and append on &prompt=admin_consent.
This error is caused when your app is requesting an admin-restricted scope. These are scopes that require an admin to consent on behalf of their users.