We have an Azure AD app used for authenticating to APIs. We use permissions like offline_access, openid, profile, User.Read etc. and have granted admin consent already. This has been working since 1 year without any issues. In this week, we received 4-5 external users complaining about the error:
Need admin approval
App needs permission to access resources in your organization that
only an admin can grant. Please ask an admin to grant permission to
this app before you can use it.
It is not related to a particular external user from a particular organization, some other user from the same organization don't get this error.
This error occurs only for new external users, we haven't yet received any issues from existing external users.
Admin granted admin consent again after reported error but the users still get the same error message.
I went through few other questions with same error. But since the configuration has been working since past year I am bit confused. During this period we have had lot of external users without any issue.
What configuration should I check to resolve this? Or is there any update in Azure AD default settings?
Check if the Allow users to consent to apps accessing company data on
their behalf is set to No in Enterprise Application Users settings.
If it set to No then please toggle it to yes . This option lets users
decide by themselves if they want to grant access to a given app to
everyone in their organization.
From Microsoft’s official documentation: If this option is
set to yes, then users may consent to allow applications which are
not published by Microsoft to access your organization’s data, if
the user also has access to the data. This also means that the
users will see these apps on their Access Panels. If this option
is set to no, then admins must consent to these applications before
users may use them.
Check if the Allow users to request admin consent to apps they are
unable to consent to is set to No.
If it is set to No then toggle it
to yes as well. If your organization decides that users indeed must
have explicit approval, this option makes it easy for those users to
request approval.
To enable this option, click on User settings (same
as in the previous stem) and then toggle Admin consent requests to
“Yes”. Make sure to Save your changes, which may take a few minutes
to propagate.
From Microsoft Documentation: If this option is set to yes,
then users request admin consent to any app that requires access to
data they do not have the permission to grant. If this option is
set to no, then users must contact their admin to request to consent
in order to use the apps they need.
Note : If this Setting is done from your APP tenant , Please also check the external users tenant as this needs to be done from their
side as well as while trying to use the app, your app will retrieve
user profile etc. from the users tenant .
Add Priority Matrix as an Enterprise Application (org-wide)
if your
AAD administrator decides that everyone in your organization should
get access to Priority Matrix, they can follow these steps:
From the
“Enterprise Applications” view, click on All Applications
Select +
New Application to set up Priority Matrix with Azure AD
authentication
Search “Priority Matrix” and proceed to configure the
app with AD authentication
Note: If you still face the issue please reach out to Azure support engineer to get assisted support by clicking on (Help+support)
and creating a technical support request as it may need live troubleshooting.
Please note that, Consent phishing attacks are highly emerging these days. So, as an admin, we should think about granting permissions to users consent to other applications into our Office 365. You can refer the blog manage user consent to apps to know the ways to approve the applications that users requested.
Also, please don't get upset about the existing applications that were approved by user without your concern. You can now review the permissions granted to apps in office 365 and take remediations immediately if you find an unnecessary application.
Related
I created an SSO application in the azure portal. As a global administrator I signed to my application with sso and I'm able to fetch the access token and graph details.
In our organization we need to allow few users to use this application. So I added their emails to the 'Users and Groups' in Azure portal. So When the users signed in,they allowed the consent permissions and then the below window appears. May I know the reason?
Is this normal or any kind of bug from side?
Is this window appear everytime once the user got approval ?
Please help me to solve this as I am going through a tough time.
It is not a bug and it is Admin Consent. You as a global
Administrator need to approve the concern from azure AD.
This window will appear only once and it will not appear once user log-in after consent next time.
Please go through Ms Document which has information of configuring Admin Consent.
It seems you are trying to use application permissions, since both shown permissions do not require admin consent for delegated permissions scenarios.
You can read about permission types at https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#permission-types
If you want to review the configuration of your application you can turn to Azure AD. On page https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/YOURAPPID/isMSAApp/ (replace YOURAPPID with your app id) you should see something similar to this:
If you at (1) have any of type "Application", these will require admin consent.
Regardless of whether you have any of such, you (required admin privileges) can grant application consent for the tenant using the button at (2).
More specifically: I have small Azure AD under which i have registered my application. The application is marked as multi-tenant as i want people to be able to log in to it with their own corporate accounts. I would like to obtain the group memberships for the users that login by leveraging delegated access rights that do not require admin consent because I don't want the on-boarding process of new AAD tenants to require an admin over there to grant my app special permissions.
Here is what i have tried:
Getting the information directly in the tokens
By configuring the groupMembershipClaims field in my application manifest to All as documented here. I can obtain the groups in my token. This can be done without any sort of admin consent. in fact the only delegated rights needed are openid ie logging the user in.
This approach however limits me to obtaining the groups for users who are members of less than 200 groups. Otherwise I get none at all and instead get an endpoint to the Azure Graph API where I can retrieve them.
This leads us to the second approach.
Using Microsoft Graph API
Sadly both the old Azure Graph API and the new Microsoft Graph API Seem to require permissions with admin consent to get the groups.
The documentation for the user: getMemberGroups call states that we should be able with a delegated User.Read permission to make this call. However this does not work and in fact Directory.Read.All is the least permissive permission that actually works. See the documentation issue on GitHub.
Looking at the documentation's history we can see that this used to be considered a known bug rather than a documentation problem. Going back further seems to imply that at a minimum both User.Read and Group.Read.All together were required.
This leaves me kind of stuck. Ideally would prefer to use the graph api in all cases rather than just the over 200 case because otherwise my tokens can get too large for some uscases despite the limit microsoft put in. But I'm not sure what the actual intent is here with regards to needing admin consent for this sort of query.
Does anyone have any other ideas?
There is no way currently (2019-03-20) to get group membership information for the signed-in user without an Azure AD directory admin consenting to the delegated permission Directory.Read.All. (There are plans to support a lesser-privileged permission for this scenario, though it may still require admin consent by default.)
You should not build your application with the assumption that all users will be able to use your app because you're only requesting permissions that are currently user-consentable by default. Many organizations disable user consent entirely, and you can expect that in the future which users can consent to which permissions will be something that changes for each organization.
My recommendation is the following:
Before sending the user off to sign in, clarify that their organization's policy may not allow them to sign in (and suggest they reach out to their IT team if that's the case). (In the future, there will be more options for users faced with the "sorry, you're not allowed to consent" error...)
Consider starting with only requesting User.Read (and groups claim), and only "stepping up" to Directory.Read.All later in the app's experience. This will increase the probability (though does not guarantee) that the user will be able to at least sign in, and may allow you to offer them better guidance for how to ask their IT team to review your app.
There is some additional guidance at: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#using-the-admin-consent-endpoint
This is my scenario:
As an administrator on Azure I want to add an application for my colleagues. This application will access the Microsoft Graph API to access e.g. their calendar or OneDrive files. I'm using a PHP-application for my Proof-of-Concept.
The user must be able to do three things: review what this application needs as permissions, give consent, and later be able te revoke the consent.
I have tested this by using Microsoft's Graph Explorer website. It correctly asks for consent (when logging in as a different user!). And when this users logs in to portal.office.com can revoke the access to the Graph Explorer.
However, I cannot seem to get it working for an application I built myself. In Azure I go to "App registrations" and setup the keys etc. In the permissions I make sure that no option is selected that requires admin-consent. I have selected a few in the category 'Delegated permissions".
THe PHP app wil not run on Azure IaaS/PaaS but hosted somewhere else.
What suprised my is two things:
- in my PHP-application I have to ask for a consent screen to appear. If I'm not asking for it, the app will skip it. Strange.
- in "My Account" it still says that the administrator granted access.
I've looked at the answer below, but that doesn't help either.
How to revoke access to Microsoft APP for a user in php
So, basically I'm looking for the same scenario as when I'm building an app to access e.g. Google Contacts. I've built that integration and works as expected and outlined above.
Any thoughts anyone?
Oke, after conferring with Microsoft this is what I came up with.
The problem is that some permissions/scopes require admin consent. In that case a number of things happen:
a user is not forced to give personal consent
a user cannot revoke consent through the portal.office.com portal (My Account--> Applications)
if the permission requiring admin consent is removed, none of the two situations above change!
So, If you setup an application and you accidentally select a scope requiring admin consent, you're in trouble.
Furthermore, there is a global setting you should enable so end users will see a consent screen at all.....
PS C:\Users\xxxx> Connect-MsolService -credential $msolcred
PS C:\Users\xxxx> Get-MsolCompanyInformation | fl DisplayName,UsersPermissionToUserConsentToAppEnabled
DisplayName : <your domain>
UsersPermissionToUserConsentToAppEnabled : False
Have a look at this link.
The new Azure portal gives a better list when choosing the permissions/scopes. In the second column there is an indicator for 'admin consent' that is missing in the v1-portal. So switch to the new portal and refrain from using those permissions requiring admin consent.
I have an existing web app which I am trying to add Office 365 integration. I want all users to be able to log in with OAuth2, and admin users to be able to read users from the directory.
So I created an Azure AD app, and granted the "Enable sign-on and read users profiles" and "Read directory data" delegate permissions.
When an O365 admin user logs in, it works as expected. But when a O365 non-admin user logs in, they get the error "AADSTS90093: Calling principal cannot consent due to lack of permissions.".
After much trial and error (the docs are anything but clear), I figured that I need to append prompt=admin_consent to the auth url. By appending this to the auth URL, if I log in with an admin, then subsequent non-admin logins work as expected.
The problem is, that I don't know whether the user about to click the "Login with Office 365" button on my login page is an admin or not. It seems that the first person who logs into the app from the O365 domain MUST be a O365 admin, AND the auth url MUST have prompt=admin_consent. If a non-admin tries to login BEFORE an admin does, then they get the AADSTS90093 error, and there doesn't seem to be any way for my app to gracefully handle this scenario. Even worse - they can't log in at all.
What I really need here, is to have 1 login button, that will log non-admin users in but without access to the directory, and will log admin users in with access to the directory, but this doesn't seem to be possible. Google have the concept of scopes, but this seems absent from Microsofts implementation.
I see 2 potential solutions, neither of which are great:
Add a checkbox on the login page labelled "Log in as Office 365 Administrator". If this is checked, then I append the prompt=admin_consent to the auth url. The problem with this (aside from cluttering up my login page), is that it doesn't cater for non-admins trying to log in before an admin has. So most users still aren't able to log in - not great.
Create 2 Azure AD apps. One with both "Enable sign-on and read users profiles" and "Read directory data" permissions, and the other with just the "Enable sign-on and read users profiles" permission. The login page is linked to the first app, which would allow both admin and non-admin users to log in at any time. Then, on a config page in my app, I have an option to "Complete integration with O365", which presents a link to authenticate with the 2nd AAD app. This way, I can guarantee all users can perform basic log in, and I can integrate with the directory and calendar when an admin clicks the 2nd button. The downside of this, is that even if the first user to log in is an o365 admin, I won't be able to access the directory until the second auth has been completed. And secondly, my app will appear twice in the customers AAD applications list.
It seems like I am trying to achieve such a trivial thing here - to be able to log all users in, but if an admin logs in then they can access the directory. So how do you achieve this with AAD apps?
Your solution #1 is the one we recommend in our samples, take for example https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet and the sign up controllers. As of today consent in Azure AD is an "all-or-nothing" package deal, hence apps that require admin consent must be first approved by an administrator. We are working on making the consent dynamic, thanks to which you'll be able to sign in non-admin users without directory querying powers and defer that ability until an admin grants consent - but that's still quite some time out hence for the time being #1 is the supported approach.
if your app requests permissions that requires tenant admin consent, then only a tenant admin can actually grant those permissions, and thus you will see errors like the one you are having.
You can resolve your issues by reducing the permissions requested by your application to only those which a normal user can consent to.
Also make sure you are not passing the query parameter "&prompt=admin_consent" as this can only be done by an admin.
https://www.gittprogram.com/question/3306112_aadsts90093-calling-principal-cannot-consent-due-to-lack-of-permissions.html
I have currently set up a AAD instance and I am authenticating my users against it via my web app, and it’s working great.
When I added and configured the application on AAD, I added the required Application and Delegated Permissions to access the Office365 Calendar API. However, the only thing that is missing is that during the login flow users aren’t being prompted to grant consent for the permissions, as it should happen from what I’ve read in your docs: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Consent
I’m not sure what I’m missing. Apparently, from the docs,
After the user has signed in, Azure AD will determine if the user
needs to be shown a consent page. This determination is based on
whether the user (or their organization’s administrator) has already
granted the application consent. If consent has not already been
granted, Azure AD will prompt the user for consent and will display
the required permissions it needs to function. The set of permissions
that is displayed in the consent dialog are the same as what was
selected in the Permissions to other applications control in the Azure
Management Portal.
So maybe somehow I have already probably implicitly granted admin consent for those permissions, but I don’t know how that happened.
I've attached the permissions I configured on the AAD App.
Any help would be appreciated.
If an admin creates an application in their tenant using the AUX portal (manage.windowsazure.com), and requests permissions to other applications, then users in that same tenant are pre-consented for that application. Note this behavior is NOT true for our other App Registration Portals (portal.azure.com or identity.microsoft.com)
I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. If you would like to push the consent dialogue experience, there are a few different things you can do:
You can use query strings to prompt "consent" or "admin_consent" during login. Check here: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
You can delete the service principal for your application from your tenant using AAD PowerShell. You can learn how to do that here: https://msdn.microsoft.com/en-us/library/azure/dn194113.aspx
You can have a user from another tenant try to login to your multi-tenant application.
You can create your application under a non-admin account.
I hope this helps!
Shawn Tabrizi
Try this:
What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification
Changing the resource parameter to https://graph.windows.net did the trick for me.
Furthermore, Microsoft support suggests disabling all permissions except "Enable sign-on and read users' profiles", apparently to avoid permission related problems. I understand that this is not a solution in your case, but at least it gives you a test case.