I have a question regarding a multi-tenant App Registration in Azure AD. The first time a user logs in through the app it will ask him to grant his consent to access some of his data if necessary or ask an administrator to grant a tenant level consent. This is just fine.
But what if a change is made to the App Registration (Logout URL modified for example)? Is it possible that the users that never used the app registration already will need to grant their consent or that a tenant administrator might need to give his consent again?
Changing your redirect URLs or logout URL will not cause the consent to be prompted for again.
Changing the configured permissions also won't cause users who have already granted consent to have to grant consent again (but the app will only have the permissions it had been originally granted).
Users will only be prompted for consent in the following situations:
If your application dynamically requests a permissions which has not been granted (e.g. scope=https://graph.microsoft.com/Mail.Read, if Mail.Read has not been granted.
If your application requests access to ".default" for a resource, and no permissions have been granted for that resource. For example, if you application requests scope=https://graph.microsoft.com/.default and no delegated permissions for Microsoft Graph have been granted, the user will be prompted for consent (for all permissions configured in the app registration). If any permission for the requested resource have been granted, the user will not be prompted for consent.
If your application forces user consent using prompt=consent. Don't do this—there is almost no situation where this is necessary. (Read a lot more on this at https://stackoverflow.com/a/60151790/325697.)
Yes. If you modify properties such as redirect url, permissions, logout url and so on, you have to make admins from other tenant do the admin consent again to make it effective.
Using admin consent url is the quickest way:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
Related
I am going to consent only specific admin permissions in graph api.
But it requests all tenant permissions.
Current logic is
Get delegated token by authorization.
https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/authorize?client_id={CLIENT_ID}&response_type=token&redirect_uri={LOGIN_REDIRECT_URI}&response_mode=form_post&scope=offline_access https://graph.microsoft.com/.default
Prompt admin consent
https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id={CLIENT_ID}&redirect_uri=http://localhost/team-members/getAppToken&scope=https://graph.microsoft.com/calendars.readwrite
Get application token
https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token?scope=https://graph.microsoft.com/calendars.readwrite
In this logic, admin consent is always asked all permissions in 2), but I want to ask only the permission Calendars.ReadWrite.
How to ask to consent for a specific permissions?
This is related to your permission type. If your permission is a delegated permission, you can dynamically agree to a specific delegated permission on the administrator consent page: scope=https://graph.microsoft.com/calendars.readwrite.
If your permissions are application permissions, you can only request the static /.default scope, which will require the administrator to consent to all permissions in the tenant: scope=https://graph.microsoft.com/.default.
See the document, there are detailed instructions:
At this point, Azure AD requires a tenant administrator to sign in to
complete the request. The administrator is asked to approve all the
permissions that you have requested in the scope parameter. If you've
used a static (/.default) value, it will function like the v1.0 admin
consent endpoint and request consent for all scopes found in the
required permissions (both user and app). In order to request app
permissions, you must use the /.default value. If you don't want
admins to see a given permission in the admin consent screen all the
time when you use /.default, the best practice is to not put the
permission in the required permissions section. Instead you can use
dynamic consent to add the permissions you want to be in the consent
screen at run time, rather than using /.default.
If you login to Azure portal and find your application
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
Click on API Permissions tab
You will see all configured permissions for Microsoft Graph API.
Ensure that there is only Calendars.ReadWrite by removing all redundant permissions.
From my frontend application, when I request an access token I pass two scopes that need to be returned with the token.
I did not grant the application these consent in the Azure Portal. Instead the user has to explicitely give consent from the popup window.
Once the user has granted consent, I get the access token with the required scopes.
But how do I revoke consent from the Azure Portal ? And how can I see which user has granted consent ?
You can go to Enterprise Applications -> Find your app -> Permissions tab -> User consent tab.
There you can see which permissions users have consented to, for example:
You can then click Review permissions -> This app has more permissions than I want.
This will give you a PowerShell script that you can run to remove all user consent for that app. It can of course be customized to only remove certain permissions.
Currently there is no UI features to remove consented permissions, PowerShell/Graph API is the only way.
As you see my new registered app registration it's an app that only requires users to login.
Anything beyond the minimal requirements to work. I don't configured it to request any special sort of permission
When i Try lo login this message appears
"Application needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it"
Why? The permissions the app is requesting are just basic ones . I don't understand why an admin consent is required.
Many thanks
There are two possible reasons why users can't consent to User.Read:
User consent is disabled or restricted. Each customer can choose to disable or limit user consent to applications. In a tenant where user consent is disabled, for example, users can't consent to any permission.
Azure AD > Enterprise apps > User settings > Users can consent to apps...
The app requires assignment. When an application is configured to require assignment for users to be able to sign in, users are not allowed to consent to that application.
Azure AD > Enterprise apps > (select app) > Properties > User assignment required?
Most possible reasons for any administrator consented issue,
App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.
Certain delegated permissions also require a tenant administrator’s consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administrator’s consent.
Possible Solutions,
The prompt=admin_consent parameter(which request permissions from admin) can be used as a parameter in the OAuth2/OpenID Connect authorization request to grant the admin consent .
Enable the admin consent workflow , which gives end users a way to request access to applications that require admin consent.
Refer the permissions documentation for the Microsoft Graph API indicate which permissions require admin consent.
Please refer admin consent endpoint for more details.
I'm hoping someone has some insight into an issue I'm having with a newly registered app within Microsoft's Azure Portal (portal.azure.com).
My issue on login when I get the following dialog
The error code and message appears in the lower right corner;
AADSTS90094: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
Configuration-wise, I believe I have this setup to not require admin consent, however there maybe something I'm missing.
My app is configured with;
Id Token, single tenant (web) application
Delegated, user consent permissions with no admin permissions
With the enterprise application, the configuration is set to;
Enabled for users to sign-in: Yes
User assignment required: Yes
Visible to users: Yes
4 users have been added with the Default Access role
Allow users to request access to this application: No (as they are assigned)
Last of all, within the azure directory itself under the Enterprise applications - User settings configuration I have set the company data user consent to Yes
When I navigate to either my application URL, or from the app within myapps.microsoft.com, both give me the above dialog requesting an admin consent.
I don't want to grant admin consent if not required, as it seems a bit like using a sledgehammer to solve the problem.
I feel like I'm either missing something big, or doing something silly - please help, and let me know if I can provide further information.
Edit 1.1:
My authentication request URL is: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<clientid>&redirect_uri=<redirecturi>&response_mode=form_post&response_type=code id_token&scope=openid email profile offline_access User.Read User.ReadBasic.All Mail.ReadWrite&state=OpenIdConnect.AuthenticationProperties=<gibberish>&nonce=<gibberish>&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0
(I'm using ASP.NET MVC combined with Microsoft's OpenId Connect authentication library)
When a user consents to an application which does not require assignment (in a tenant where user consent is allowed, and for an application requesting only permissions which do not require admin consent), two things happen:
Consent grants are recorded for the app, the user and the delegated permissions being requested.
The user is assigned to the app at a "default" app role.
The second step may seem surprising, but it serves a simple role: it ensures the user sees apps they've consented to in the Azure AD Access Panel (https://myapps.microsoft.com). (The Azure AD Access Panel will show a user all apps they are assigned to.)
It would defeat the purpose of the "user assignment is required" control if users could cause themselves to be assigned by triggering user consent. So, currently, when an application is set to require user assignment, users are simply not allowed to consent to the application.
Today, you have two options:
Ask an admin to grant tenant-wide consent for the application (e.g. Enterprise apps > Permissions > Grant admin consent, or App Registrations > API Permissions > Grant admin consent).
Configure the app to not require user assignment, and update the app's code to require the user be assigned to an app role by checking the "roles" claim.
Using Azure Active Directory in a multi-tenant environment.
Admin has given consent to the application for all users to log on.
Users have been restricted from consenting.
After admin has given consent users are still not able to log on and receive the "AADSTS90093: Does not have access to consent." error.
The way in which you did admin consent was probably erroneous or you were not signed into an admin account. Try out one of these two ways:
Inside the Azure Portal, login to an admin account, go to the App Registration blade, select your app, and hit the Grant Permissions button.
Construct a new auth request and append on &prompt=admin_consent.
This error is caused when your app is requesting an admin-restricted scope. These are scopes that require an admin to consent on behalf of their users.