I'm hoping someone has some insight into an issue I'm having with a newly registered app within Microsoft's Azure Portal (portal.azure.com).
My issue on login when I get the following dialog
The error code and message appears in the lower right corner;
AADSTS90094: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
Configuration-wise, I believe I have this setup to not require admin consent, however there maybe something I'm missing.
My app is configured with;
Id Token, single tenant (web) application
Delegated, user consent permissions with no admin permissions
With the enterprise application, the configuration is set to;
Enabled for users to sign-in: Yes
User assignment required: Yes
Visible to users: Yes
4 users have been added with the Default Access role
Allow users to request access to this application: No (as they are assigned)
Last of all, within the azure directory itself under the Enterprise applications - User settings configuration I have set the company data user consent to Yes
When I navigate to either my application URL, or from the app within myapps.microsoft.com, both give me the above dialog requesting an admin consent.
I don't want to grant admin consent if not required, as it seems a bit like using a sledgehammer to solve the problem.
I feel like I'm either missing something big, or doing something silly - please help, and let me know if I can provide further information.
Edit 1.1:
My authentication request URL is: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<clientid>&redirect_uri=<redirecturi>&response_mode=form_post&response_type=code id_token&scope=openid email profile offline_access User.Read User.ReadBasic.All Mail.ReadWrite&state=OpenIdConnect.AuthenticationProperties=<gibberish>&nonce=<gibberish>&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0
(I'm using ASP.NET MVC combined with Microsoft's OpenId Connect authentication library)
When a user consents to an application which does not require assignment (in a tenant where user consent is allowed, and for an application requesting only permissions which do not require admin consent), two things happen:
Consent grants are recorded for the app, the user and the delegated permissions being requested.
The user is assigned to the app at a "default" app role.
The second step may seem surprising, but it serves a simple role: it ensures the user sees apps they've consented to in the Azure AD Access Panel (https://myapps.microsoft.com). (The Azure AD Access Panel will show a user all apps they are assigned to.)
It would defeat the purpose of the "user assignment is required" control if users could cause themselves to be assigned by triggering user consent. So, currently, when an application is set to require user assignment, users are simply not allowed to consent to the application.
Today, you have two options:
Ask an admin to grant tenant-wide consent for the application (e.g. Enterprise apps > Permissions > Grant admin consent, or App Registrations > API Permissions > Grant admin consent).
Configure the app to not require user assignment, and update the app's code to require the user be assigned to an app role by checking the "roles" claim.
Related
I'm really hoping someone can explain why admin consent is required in our situation and, if possible, how we can avoid it. The following is a simplified version of our normal application in which I was able to reproduce the issue.
I control two tenants: T1, used for development and where all app registrations/resources live. And tenant T2, where I have control over all user settings and which we use for testing multi-tenancy.
In T1 I've registered two app registration named 'app-frontend' and 'app-api'.
Both have a required permission on User.Read on Graph. In addition app-api exposes an (admin and users) scope that is set as a required permission for app-frontend. App-frontend is also registered as known client application on app-api.
Now the behavior we would expect is that when a first time user requests a token for app-frontend, they are requested for consent and given a token after accepting. For any non-admin account this results in a 'Need admin approval' error though when testing with users from T2. When the required permission from app-frontend to app-api is removed, consent works fine for non-admin users.
I've gone through a number of answers on here to try and figure out why admin consent seems to be required here, but none of the suggested answers/reasons seem to apply in our case. To summarize:
The setting 'Users can register applications' is on in T2.
The setting 'Users can consent to apps accessing company data on their behalf' is on in T2.
User assignment is not required (for either app registration).
No other permissions are required by either app registration (so no application permissions are involved).
The problem appears for requests to both the v1 and v2 endpoints.
Most of these I would expect to also cause admin consent to be required when the only permission on app-frontend is User.Read, but the problem only appears when the required permission to the scope from app-api is present.
If any other info is required I would be happy to provide it, I've been stuck on figuring this out for quite a bit now.
Update:
Screenshots of the app permissions set on both registrations.
Front end app registration: Front end app registration
Api app registration: Api app registration
I didn't reproduce your issue on my side, see my steps as below.
1.create tonyFronEnd application and tonyBackend application in tenant A, both of them are multi-tenant application. Also, tonyFronEnd application has access to tonyBackend application. And File.Read doesn't need admin consent.
2.use user from tennatB to login in tonyFronEnd application
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=90ffbdb4-5b89-4bbc-9f90-d42b2419294c
&response_type=code
&redirect_uri=https://localhost:8080
&response_mode=query
&scope=openid api://08b3e812-2141-47af-a00a-75de13d3916d/Files.Read
&state=12345
Admin consent is not required.
update:(user consenet)
I've found a solution for the problem in our case:
The cause of the admin consent in our situation turned out to be the fact that the publisher of the app registration was showing as unverified. It was linked to the domain of our Azure tenant (*.onmicrosoft.com), which is not valid as publisher domain.
Surprisingly this appears to have influenced whether admin consent is required or not in scenario. After changing and validating the app registration to another domain, the requirement for admin consent instantly disappeared.
Also of note: This does not seem to apply to older app registrations. We have several app registrations from the end of 2018, which used the same domain (*.onmicrosoft.com). These app registrations do not appear as unverified in the consent screen however and also do not require admin consent. I suspect app registrations from before a certain change have been grandfathered in to not require consent.
this is delegated consent, not admin consent. Please understand the various types of permissions at Delegated permissions, Application permissions, and effective permissions
My multi-tenant Azure application requires only the app-level EWS legacy permission full_access_as_app to run. This app-level permission can only be consented to by an administrator---it's extremely powerful because it gives the app read and write permissions over every EWS mailbox in a tenancy.
If I, as an admin for my Azure tenancy, grant my application only this single permission behind the scenes in AAD configuration, everything works fine when I run the application for my tenancy.
However when you create a new app in Azure, Azure always assumes you will want the user-level Graph API User.Read permission automatically. When you try to remove the permission you get this ominous warning:
And in the case when I leave it out, interactive OAuth consent forms don't work. The error message looks like this.
The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant.
In other words, it appears that the application won't be able to run for anyone else's tenancy because their admins can't consent to it.
My hypothesis is that this is because Azure is using the User.Read permission to check whether the person signing in through the OAuth form is an administrator. In other words this permission is needed just this one time, before the application is ever run for the admin's tenancy.
Looking at the actual OAuth consent form, this does appear to be the case.The app wants to sign in and read my profile, to check if I am admin... or so it seems to me.
Am I right about this? Documentation I have been able to find is rather scanty.
As you see my new registered app registration it's an app that only requires users to login.
Anything beyond the minimal requirements to work. I don't configured it to request any special sort of permission
When i Try lo login this message appears
"Application needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it"
Why? The permissions the app is requesting are just basic ones . I don't understand why an admin consent is required.
Many thanks
There are two possible reasons why users can't consent to User.Read:
User consent is disabled or restricted. Each customer can choose to disable or limit user consent to applications. In a tenant where user consent is disabled, for example, users can't consent to any permission.
Azure AD > Enterprise apps > User settings > Users can consent to apps...
The app requires assignment. When an application is configured to require assignment for users to be able to sign in, users are not allowed to consent to that application.
Azure AD > Enterprise apps > (select app) > Properties > User assignment required?
Most possible reasons for any administrator consented issue,
App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.
Certain delegated permissions also require a tenant administrator’s consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administrator’s consent.
Possible Solutions,
The prompt=admin_consent parameter(which request permissions from admin) can be used as a parameter in the OAuth2/OpenID Connect authorization request to grant the admin consent .
Enable the admin consent workflow , which gives end users a way to request access to applications that require admin consent.
Refer the permissions documentation for the Microsoft Graph API indicate which permissions require admin consent.
Please refer admin consent endpoint for more details.
The environment is configured in a Multi-tenant way. 'AppName' is an App Registration within a common AD which was solely created to give access to users from different tenants to a single environment. For the sake of my description, call the multi-tenants AD1, AD2 and AD3.
This message is displayed when a user from one of these ADs (with no Admin privileges) logs in the first time.
AppName needs permission to access resources in your organization that only an admin can grant
Additionally in the application exception logging I can see the below error
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: "OpenIdConnectMessage.Error was not null, indicating an error. Error: 'access_denied'. Error_Description (may be empty): 'AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant.
The premise is that for a user from AD1 to successfully access the environment, an Admin user from AD1 has to first login and grant admin access.
The "common AD" app registration is configured as following.
The Supported account types option in the App Registration is set as
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
The only API Permission is as shown in the image below. The status "Granted for ...." only refers to the "common AD" where the tenant ID resides - it does not grant Admin consent to any AD.
The technology being used in the code is ADAL.Net with OpenIDConnect. We are using the: https://login.microsoftonline.com/common (V1.0) endpoint.
In the snippet shown below, found within this url for the only API permission being set in our case.. 'Admin Consent Required' is set as 'No'.
And that is what put me off. Why is the message/error popping up? Is the Admin consent always required because this is a multi tenant scenario? Does this Admin consent, sort of, create the trust between the common AD and the multi-tenant ADs?
Yes. In case of multi-tenancy, admins are required to on-board their tenant. Only after the on-boarding process, users can sign-in. Also, the admin consent which is being shown in the screenshot is not related or dependent on type of tenancy, it is permission specific. App permissions and some delegated permissions require admin consent.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md
I have currently set up a AAD instance and I am authenticating my users against it via my web app, and it’s working great.
When I added and configured the application on AAD, I added the required Application and Delegated Permissions to access the Office365 Calendar API. However, the only thing that is missing is that during the login flow users aren’t being prompted to grant consent for the permissions, as it should happen from what I’ve read in your docs: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Consent
I’m not sure what I’m missing. Apparently, from the docs,
After the user has signed in, Azure AD will determine if the user
needs to be shown a consent page. This determination is based on
whether the user (or their organization’s administrator) has already
granted the application consent. If consent has not already been
granted, Azure AD will prompt the user for consent and will display
the required permissions it needs to function. The set of permissions
that is displayed in the consent dialog are the same as what was
selected in the Permissions to other applications control in the Azure
Management Portal.
So maybe somehow I have already probably implicitly granted admin consent for those permissions, but I don’t know how that happened.
I've attached the permissions I configured on the AAD App.
Any help would be appreciated.
If an admin creates an application in their tenant using the AUX portal (manage.windowsazure.com), and requests permissions to other applications, then users in that same tenant are pre-consented for that application. Note this behavior is NOT true for our other App Registration Portals (portal.azure.com or identity.microsoft.com)
I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. If you would like to push the consent dialogue experience, there are a few different things you can do:
You can use query strings to prompt "consent" or "admin_consent" during login. Check here: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
You can delete the service principal for your application from your tenant using AAD PowerShell. You can learn how to do that here: https://msdn.microsoft.com/en-us/library/azure/dn194113.aspx
You can have a user from another tenant try to login to your multi-tenant application.
You can create your application under a non-admin account.
I hope this helps!
Shawn Tabrizi
Try this:
What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification
Changing the resource parameter to https://graph.windows.net did the trick for me.
Furthermore, Microsoft support suggests disabling all permissions except "Enable sign-on and read users' profiles", apparently to avoid permission related problems. I understand that this is not a solution in your case, but at least it gives you a test case.