I have an application registered in Azure which asks for user consent via oauth2 to read the user's calendar. I am trying to figure out how the user will go about revoking this permission. I believe this is done via myapps.microsoft.com. I do find my application listed here but when I click on it I get this error:
something went wrong... You cannot access this application because it
has been misconfigured. Contact your IT department and include the
following information: Undefined Sign-On URL for application "xxxxx"
In Azure App Registrations (legacy) there is an option for sign on URL but my application doesn't show up in search results on this screen. In Azure App registrations, the Sign On URL option seems to have been removed. Can someone guide me on how the user will remove consent in this situation?
If you add a Home Page URL under Branding in Azure App registrations, you'll at get rid of that particular error when browsing to your app in myapps.microsoft.com. Then, if the user has consented themselves, you'll be able to Remove the app permission when logged in to myapps.microsoft.com as them. However, if the app was consented by Admin, the user will not see the choice to remove the app permission.
Here's a linky with a better description with pictures.
Related
I've created a web app using asp.net core and I'm trying to authenticate with Azure AD. I've created the app registration and hooked everything up. I'm able to log in fine but when anyone else tries they get the "Need admin approval" message.
My app doesn't require any API permissions and my org has Allow User Consent for Apps enabled. Any ideas on why I would still be getting this error message? I've read all the other posts I could find on this and they didn't seem to be quite the same. This is single tenant only, no api permissions needed.
Here is how I'm setting it up in the web app services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
Edit:
Crap, didn't read them all apparently. Answer in this post was my issue as well. I had Assignment required enabled, turning it off allowed users to sign in. Is there no way to have users consent and require assignment?
We can follow the below workaround :-
We must need global administrator role to turn on the admin consent workflow
Then Navigate to Enterprise application>User Settings>Admin consent(select yes)> Save.
For complete setup please refer the below links:-
MICROSOFT DOCUMENTATION:- Enable the admin consent workflow
BLOG:- How to grant admin consent to applications in Azure
I want to add Azure AD auth for my custom SPA. I have registered the app in the app registration in the Azure portal.
When I call this "APP" using APIs I am able to get the login screen and MFA but after logging in to the Azure account I am getting Approval required screen and I want to get rid of this, what should I do?
To get rid of Approval required screen after signing in, user settings of your app have to be changed. Only the admin with Global Administrator role of the tenant can do that. So, make sure to have that role.
Note the client_id of your app that can be found in your Overview tab.
Create an adminconsent URL like this:
https://login.microsoftonline.com/common/adminconsent?client_id=your_client_id
Now, access this URL in the browser and it asks you to pick the azure account.
Select the account with Global Administrator role.
Now, a consent prompt will appear where you have to accept the permissions.
Go to Azure Portal -> Azure Active Directory -> Enterprise Applications -> User Settings -> Admin Consent Requests.
Set ‘Users can request admin consent to apps they are unable to consent to’ to “No”
By this, when the user tried to access the application using authorization API, they won’t get ‘Approval Required’ page anymore that disables all future admin consent operations.
For more information, go through below links.
References:
Disable approval required consent in Azure - Microsoft Q&A
Disable approval required consent in Azure - Stack Overflow
I created an app in azure and authenticating using AAD ,but when users try to log in they keep getting message admin approval required But no matter how I configure the application in the Azure Portal, I'm always receiving the following message after I've logged in with a normal user but an admin can login without the app showing the error,:
My Enterprise applications | User settings
My API permissions
I need my users to just login normally like the admin, what am I doing wrong?
This question has been resolved by #juunas comment, post it as an answer to close the question.
If you are using /common or /organizations as the authority in the
app, the user will authenticate against their home tenant. It might be
what is happening here. Your tenant's settings will not apply there,
and they may be required to give admin consent.
The solution is to set the admin consent to: "Yes"
I use Azure apps to sign users in to a web app and a desktop app. I also query for user information via Microsoft Graphs /user/ endpoint.
So we have to apps registered in Azure; one is a web app / api with permissions to sign users in and read all user profiles from graph. The other is a native app with permissions to the first app, and permissions to sign users in.
In one tenant, this works fine. However in the other tenant the web api har permissions to sign users in, but Graph declines access to the /users/ endpoint due to insufficient privileges. The error is: Authorization_RequestDenied, Insufficient privileges to complete the operation.
However the exact same privileges work fine in another tenant. In the faulty tenant we get a token from graph but when we use the token on the user endpoint it throws the insufficient priv. error.
Signing in users via the desktop app (we use owin) works in one tenant but in the faulty one it sais that app tenant.onmicrosoft.com/guid does not exist in tenant.onmicrosoft.com
The app uri is correct in the settings and the app has the same privileges in both tenants.
We tried recreating the apps since this has solved similiar issues when developing things like this before. This time it doesnt seem to work however. Now I'm at my wits end here. Could there be some other issue blocking here?
The faulty tenant is part of a multi-tenant. However we only poll for users in one tenant as of now.
The apps have also been given consent by an admin via the azure portal. What am I missing here? How should i proceed with trying to fix this error?
Edit: I added a new directory in my tenant and it does not work in this new directory. Same error as with our clients tenant.
Working token for directory A:
eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFDNXVuYTBFVUZnVElGOEVsYXh0V2pUQkVOV21GUUgtZjRGS0VjYlIwU3Y1NndrdzhvSjhjbDIwX3JtZEJBc2h6eDhKT2VNZjFEbVFjNm1GUUdxZ2VSRFJZMTEzNXE3ZXJkTjlHTFZ6T3NycnlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiaTZsR2szRlp6eFJjVWIyQzNuRVE3c3lISmxZIiwia2lkIjoiaTZsR2szRlp6eFJjVWIyQzNuRVE3c3lISmxZIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83NTYzNTY2OC03OGNlLTQzNDMtODMzYy0xOWM5ODkzNTRkZWYvIiwiaWF0IjoxNTM5NjExMjk2LCJuYmYiOjE1Mzk2MTEyOTYsImV4cCI6MTUzOTYxNTE5NiwiYWlvIjoiNDJSZ1lNaWExaldMdTJqUmkvWjlQenU4bHZkUEJRQT0iLCJhcHBfZGlzcGxheW5hbWUiOiJLRVlPMzY1IiwiYXBwaWQiOiI1MmQwMTdmZi1lY2ZjLTQ2NjgtYjZkZi0zZDNlZGYwZDFjNjIiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83NTYzNTY2OC03OGNlLTQzNDMtODMzYy0xOWM5ODkzNTRkZWYvIiwib2lkIjoiMjM0ZDhmZTctNmYwZC00NmEwLWI1YmYtNzg1MWY0ZmFmNmMyIiwic3ViIjoiMjM0ZDhmZTctNmYwZC00NmEwLWI1YmYtNzg1MWY0ZmFmNmMyIiwidGlkIjoiNzU2MzU2NjgtNzhjZS00MzQzLTgzM2MtMTljOTg5MzU0ZGVmIiwidXRpIjoiUDNvc0hHdHQyMFdRTXhkLVFxcWNBQSIsInZlciI6IjEuMCIsInhtc190Y2R0IjoxNDQ3MDYyNTMyfQ.prmIaq8PzXfeovQPeIYS20xvZqpjPH-DvZNwQ3v08KOhTnfFaiCkxtw2wh1B37QQDbOveYqCWRi2CE6Uwpb6zg3-tFh1ma852HDqnJHYCKPajxeW9oIewAnCagB5FzOLQRT_EbX-lEREQVcPUHSZpRNmAWEM2MOZjDnkWun_aqohf_1op7Cy40Ol_PkRzoEgmA7pbXeI28IMPW3S4a5M_hBo_MZzRbVdxuG8YQKkVMWX0wAhpLHAYbdF1Rv5sITEpBP-KHdgJkTswLs3xvIRLyXxrXobG1aVQihr7LHFoCIU0NAcCUQLS2xkePuYGRB09k7hFQsbSNxoJSywBZWk7w
non working token for directory B:
eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFDNXVuYTBFVUZnVElGOEVsYXh0V2pUUS1NMnBUdmVjYTgzUXFuVmlBWWpJX0dLNHZrMTBMYVF2dGF5SGQ0WmZDVlRySm0wSmtOVDU2UlJSU0NuUlFPU0k0aVNHdXZZZ1cxelpaTE9KTkJTVHlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiaTZsR2szRlp6eFJjVWIyQzNuRVE3c3lISmxZIiwia2lkIjoiaTZsR2szRlp6eFJjVWIyQzNuRVE3c3lISmxZIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84MTFjNjA2OS1kZDE4LTRmN2UtOTlhMy1lNjA2YzMyYjhhMjAvIiwiaWF0IjoxNTM5NjExMjI1LCJuYmYiOjE1Mzk2MTEyMjUsImV4cCI6MTUzOTYxNTEyNSwiYWlvIjoiNDJSZ1lPZzlraUZYR3BxNCtVMko1NHAvL2N2M0FRQT0iLCJhcHBfZGlzcGxheW5hbWUiOiJGZXRjaGluZ1VzZXJzQXBwIiwiYXBwaWQiOiJiNDAyZjI5Ni05OTAxLTRjNmMtYjA2MC1hNGI1M2VjNmMzMDQiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84MTFjNjA2OS1kZDE4LTRmN2UtOTlhMy1lNjA2YzMyYjhhMjAvIiwib2lkIjoiYzIyZWJmNmEtZDNkYS00ZGRjLWIzZTYtOWFhY2VmZWY3MmE4Iiwic3ViIjoiYzIyZWJmNmEtZDNkYS00ZGRjLWIzZTYtOWFhY2VmZWY3MmE4IiwidGlkIjoiODExYzYwNjktZGQxOC00ZjdlLTk5YTMtZTYwNmMzMmI4YTIwIiwidXRpIjoiNk4xRnBkRVZEMGFvRnM0UndVRGZBQSIsInZlciI6IjEuMCIsInhtc190Y2R0IjoxNTM5MTU0MTkxfQ.l_7qgXkco5FWR7pbX5rQzAtvnrb1e6xOr5byrvkYDcyNa85KmCu5b6ArfjxTmeDR82XTmYw51n2YAbWl2q8R58dqELOguddwnKkBBCiMwKsD_UvG2oX_M9ZMy-Lc8lERduolyST7D0BZSoYCNe9f0j85AXIOgXr_yMA5MrVz7qSVFKZ1if2BR9YvvMCphW2uQCrebEJAnchyxHiCb5refnhm2sfsDBRJqd5NWwK0-a956a6dC2zg59JbW55-3wezQOfXKYzC5ybzO7l1hV41EnJ4atBW6EvR2er7WyCAFb1Y1hSB_wgZSo7pC4LnQRRm9KXq-x2aSRKiUSg265K0RQ
You need to receive Admin Consent for an administrator of the tenant. I'm assuming that because this happens when hitting /users, you've requested either User.Read.All or User.ReadWrite.All. Both of these require Admin Consent before a normal user can authenticate and provide User Consent.
I wrote an article a while back that you might find this helpful here: User vs Admin Consent. The examples target the v2 Endpoint while it sounds like you're using v1. That said, the same consent models and workflow apply to both v1 and v2.
I have an existing web app which I am trying to add Office 365 integration. I want all users to be able to log in with OAuth2, and admin users to be able to read users from the directory.
So I created an Azure AD app, and granted the "Enable sign-on and read users profiles" and "Read directory data" delegate permissions.
When an O365 admin user logs in, it works as expected. But when a O365 non-admin user logs in, they get the error "AADSTS90093: Calling principal cannot consent due to lack of permissions.".
After much trial and error (the docs are anything but clear), I figured that I need to append prompt=admin_consent to the auth url. By appending this to the auth URL, if I log in with an admin, then subsequent non-admin logins work as expected.
The problem is, that I don't know whether the user about to click the "Login with Office 365" button on my login page is an admin or not. It seems that the first person who logs into the app from the O365 domain MUST be a O365 admin, AND the auth url MUST have prompt=admin_consent. If a non-admin tries to login BEFORE an admin does, then they get the AADSTS90093 error, and there doesn't seem to be any way for my app to gracefully handle this scenario. Even worse - they can't log in at all.
What I really need here, is to have 1 login button, that will log non-admin users in but without access to the directory, and will log admin users in with access to the directory, but this doesn't seem to be possible. Google have the concept of scopes, but this seems absent from Microsofts implementation.
I see 2 potential solutions, neither of which are great:
Add a checkbox on the login page labelled "Log in as Office 365 Administrator". If this is checked, then I append the prompt=admin_consent to the auth url. The problem with this (aside from cluttering up my login page), is that it doesn't cater for non-admins trying to log in before an admin has. So most users still aren't able to log in - not great.
Create 2 Azure AD apps. One with both "Enable sign-on and read users profiles" and "Read directory data" permissions, and the other with just the "Enable sign-on and read users profiles" permission. The login page is linked to the first app, which would allow both admin and non-admin users to log in at any time. Then, on a config page in my app, I have an option to "Complete integration with O365", which presents a link to authenticate with the 2nd AAD app. This way, I can guarantee all users can perform basic log in, and I can integrate with the directory and calendar when an admin clicks the 2nd button. The downside of this, is that even if the first user to log in is an o365 admin, I won't be able to access the directory until the second auth has been completed. And secondly, my app will appear twice in the customers AAD applications list.
It seems like I am trying to achieve such a trivial thing here - to be able to log all users in, but if an admin logs in then they can access the directory. So how do you achieve this with AAD apps?
Your solution #1 is the one we recommend in our samples, take for example https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet and the sign up controllers. As of today consent in Azure AD is an "all-or-nothing" package deal, hence apps that require admin consent must be first approved by an administrator. We are working on making the consent dynamic, thanks to which you'll be able to sign in non-admin users without directory querying powers and defer that ability until an admin grants consent - but that's still quite some time out hence for the time being #1 is the supported approach.
if your app requests permissions that requires tenant admin consent, then only a tenant admin can actually grant those permissions, and thus you will see errors like the one you are having.
You can resolve your issues by reducing the permissions requested by your application to only those which a normal user can consent to.
Also make sure you are not passing the query parameter "&prompt=admin_consent" as this can only be done by an admin.
https://www.gittprogram.com/question/3306112_aadsts90093-calling-principal-cannot-consent-due-to-lack-of-permissions.html