Hi I'm trying to Embed a PowerBI report in Asp.Net application using the sample application downloaded from here . I'm using UsersOwnData flow.
The same portal has created the Azure AD app registration with the permissions shown in below image. Although none of the permissions need admin consent, I'm getting an error saying admin consent is needed as shown in below image when I hit the authorize endpoint. Am I missing something?
The app was registered as a multitenant application although it was not intended. Since Nov 9th 2020 Microsoft requires admin consent to be granted for multitenant apps and end users cannot grant the consent if the publisher is not verified by entering the MPN Id.
This was the issue in my case. It was solved by granting the admin consent. The small note displayed in the Authentication blade helped me to identify the issue.
Related
I've registered a single application in Azure AD for the following reasons.
Azure AD SSO (From Any Azure AD directory)
Read users, groups, and their members
Provided following permissions and granted admin consent.
NOTE: We still depend on some of the Azure AD Graph API. So, we have added the legacy API permissions.
I can able to contact the Azure AD using REST API and get the user, groups and other information.
When I try to sign in to the application from any other directory, I'm getting the following consent screen. I can able to provide the consent and proceed to log in.
But, when I try to login into the same directory, I'm not getting the consent screen even when I logged in with the Azure AD admin. Stuck in the following screen.
When I register separate applications for SSO and REST APIs, this issue doesn't occur.
I would like to know why I'm stuck in the above screen when combining both SSO and REST API permissions.
• Please check whether the correct Azure AD roles have been assigned to your account ID, i.e., Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object through the as one of these is needed for you to access the application. Also, ensure that you have assigned your account ID the correct app role assignment for the admin consent to be allowed during the SSO signup process as below: -
You can check the app role assignments for your account ID through the Enterprise application blade and searching your application there, then opening it and selecting the users and groups blade, check the app role assignment that your account ID has to that application while also, giving ‘Azure Service Management’ api permissions for user_impersonification as below, thus ensuring that you account ID will be having correct API permissions.
Once, the above settings are configured correctly, you should be able to access the application through your admin credentials.
When an end-user is accessing their organization data by using my Azure OAuth APP, they are being asked for admin approval, the consent shows the message as "Approval Required", Can anyone will help me out on how to solve this issue so that end-user will not be asked for the admin approval?
Authorization URL we used to authenticate the end-user:- https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&state={{state}}&redirect_uri={{redirect_uri}}&client_id={{client_id}}&resource={{resource}}
[Admin Consent Image]
[1]: https://i.stack.imgur.com/BgZgJ.png
From your application's perspective, you cannot do anything to stop this prompt to appear.
Following are some of the reasons why your users are seeing this prompt:
Your application is asking for some tenant-wide permissions that only an admin can consent to.
The admin has set a policy in Azure AD which blocks users to consent to 3rd party applications like yours.
Only solution to this is to have an admin in the target Azure AD to consent to the application. They can do it by several means:
Manually by logging in into your application (like your users) and consenting to the application.
Granting admin consent to the application by logging in into Azure Portal and then visiting the application's page in Enterprise Applications section.
Visiting the admin consent URL specific for your application.
To learn more, please see this page: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent.
I have registered a sample multi-tenant app in azure portal app registration requiring certain permissions to access outlook mails. I also have a SAAS application which uses this app and requests for oauth token from users to read and send emails using outlook.
There is a tenant with a set of users who want to use my app for configuring emails in the SAAS application. But the users in the tenant do not have admin privileges to give consent to the application. Based on MS documentation, admin has to give consent to the application using the v2-permissions-and-consent
Admin has given consent to the application by using the following URL:
https://login.microsoftonline.com/{tenant ID}/v2.0/adminconsent?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxb&state=12345&redirect_uri=https://c9713e1c5859.ngrok.io/auth/outlook/callback&scope=https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send&response_type=code
Admin consented permissions:
consented permissions
Even after admin gives consent to all the permissions that the app requests and adds the users to the configured enterprise application in Azure AD, the users are shown the approval prompt when they try to login to the application.
Approval prompt shown to the users :
approval prompt
Ideally, once the app is approved in Azure AD Enterprise Applications, all the other users in the tenant should be able to use the application without any consent requirement.
The oauth URL that users use to login is
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fc9713e1c5859.ngrok.io%2Fauth%2Foutlook%2Fcallback&response_type=code&scope=offline_access+https%3A%2F%2Foutlook.office.com%2FUser.Read+https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office.com%2FSMTP.Send&state=5bfc1a7683bfa19468e7d4d67fc6893e5a00f93efe31ca51
Could anyone help me understand what I am missing here?
It should be agreed by the target tenant administrator, and then use the target tenant to log in.
In below url, you should have used wrong {tenant ID}, it should be target tenant id. Not the tenant id where your app is located.
https://login.microsoftonline.com/{tenant ID}/v2.0/adminconsent?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxb&state=12345&redirect_uri=https://c9713e1c5859.ngrok.io/auth/outlook/callback&scope=https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send&response_type=code
I have tested it, then reproduced your problem. If you need further help, please let me know.
I have followed this walkthrough to create a multi-tenant web application that can connect to Dynamics 365 CE Online. Walkthrough: Multi-tenant server-to-server authentication.
When I ran the app for the first time and tried to sign in to the Dynamics CRM, it asked me to provide a consent that I accepted. And then it returned the below error:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException HResult=0x80131500 Message=AADSTS65001: The user or administrator
has not consented to use the application with ID
'XXX' named 'MvcCrmStsWalkthrough'.
Send an interactive authorization request for this user and resource.
For subsequent tries, it didn't ask for consent. However, kept returning the aforementioned error.
What I have used for this POC
Dynamics CRM Online trial
Azure Active Directory service that was included by default with the CRM
trial and was enough to perform application registration on Azure AD
Visual Studio 2017 community edition
What I have tried so far
In Azure AD I already have granted permission using the 'Grant Permission' button on the registered app Settings > Required Permissions (Seems accepting user consent through my custom app does the same)
Setting oauth2AllowImplicitFlow to true in the Azure AD app manifest
I verified that the O365 account that I am using to log in through the app has Global Administrator directory role in the AD
Sample code
Exactly the same as mentioned in the walkthrough
I have currently set up a AAD instance and I am authenticating my users against it via my web app, and it’s working great.
When I added and configured the application on AAD, I added the required Application and Delegated Permissions to access the Office365 Calendar API. However, the only thing that is missing is that during the login flow users aren’t being prompted to grant consent for the permissions, as it should happen from what I’ve read in your docs: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Consent
I’m not sure what I’m missing. Apparently, from the docs,
After the user has signed in, Azure AD will determine if the user
needs to be shown a consent page. This determination is based on
whether the user (or their organization’s administrator) has already
granted the application consent. If consent has not already been
granted, Azure AD will prompt the user for consent and will display
the required permissions it needs to function. The set of permissions
that is displayed in the consent dialog are the same as what was
selected in the Permissions to other applications control in the Azure
Management Portal.
So maybe somehow I have already probably implicitly granted admin consent for those permissions, but I don’t know how that happened.
I've attached the permissions I configured on the AAD App.
Any help would be appreciated.
If an admin creates an application in their tenant using the AUX portal (manage.windowsazure.com), and requests permissions to other applications, then users in that same tenant are pre-consented for that application. Note this behavior is NOT true for our other App Registration Portals (portal.azure.com or identity.microsoft.com)
I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. If you would like to push the consent dialogue experience, there are a few different things you can do:
You can use query strings to prompt "consent" or "admin_consent" during login. Check here: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
You can delete the service principal for your application from your tenant using AAD PowerShell. You can learn how to do that here: https://msdn.microsoft.com/en-us/library/azure/dn194113.aspx
You can have a user from another tenant try to login to your multi-tenant application.
You can create your application under a non-admin account.
I hope this helps!
Shawn Tabrizi
Try this:
What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification
Changing the resource parameter to https://graph.windows.net did the trick for me.
Furthermore, Microsoft support suggests disabling all permissions except "Enable sign-on and read users' profiles", apparently to avoid permission related problems. I understand that this is not a solution in your case, but at least it gives you a test case.