Trying to build a web app but finding different documentation all over the place and they all say something different. I would like to get a list of all rooms and meetings under office365 azure active directory.
I'm now reading the following https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes but I'm confused on the following two options.
Requesting individual user consent
Request the permissions from a directory admin
Do you use one or the other? or are they meant to be used in sequence? if i only use option 2, do i need a token? how is this requested?
Cheers
In azure ad v2.0 , an app can request the permissions it needs by using the scope query parameter . After the user enters their credentials, the v2.0 endpoint checks for a matching record of user consent. If the user has not consented to any of the requested permissions in the past, the v2.0 endpoint asks the user to grant the requested permissions. That is user consent .
On the other hand , an administrator can grant consent for the application to act on behalf of any employee. If the admin grants consent for the entire tenant, the organization's employees won't see a consent page for the application. That means after admin consent , user consent is not needed during the OpenID Connect or OAuth 2.0 authorization request .
There are high-privilege permissions in the Microsoft ecosystem can be set to admin-restricted such as microsoft graph 's Directory.Read , when your app requires access to admin-restricted scopes for organizations, you should request them directly from a company administrator, also by using the admin consent endpoint . In that scenario, user consent is not enough , you need to do admin consent . When an administrator grants these permissions via the admin consent endpoint, consent is granted for all users in the tenant (no user consent after admin consent ) .
After admin consent , you could use OAuth 2.0 & OpenID Connect protocols to acquire token for accessing protected resources, such as web APIs.
Related
I am trying to login external tenant here. I have added below permissions to my app.
But i am getting below error. but i have gave that permission already.
AADSTS90008: The user or administrator has not consented to use the application with ID '268a9999-0000-4e61-99f5-020000f777b2'(test.app.test). This happened because application is misconfigured: it must require access to Microsoft Graph by specifying at least 'Sign in and read user profile' permission.\r\nTrace ID: bf014111-2e3f-4c11-1115e-de2fb6951800\r\nCorrelation ID: e0003455-0000-0000-ae4c-2264f23f5747\r\nTimestamp: 2021-12-10 09:24:34Z
my azure AzureAD version is v1
Here are few of the workarounds to solve the above issue:
If you have given all the permission You’ll need to make sure, that you’ve granted the Microsoft graph access to your application data (which you can do yourself, if the Azure Active Directory’s settings allow that and the application only wants delegated permissions without admin-consent) or to all users (which requires an administrator to grant the permissions).
If your application is on another tenant, then giving admin consent to the Microsoft Graph from your tenant can be done as Suggested by #amanpreetsingh-msft here .
Admin Consent via Azure Portal can only be provided for the tenant
where the application is registered in the first place. Users or
Administrators of other tenants cannot consent via Azure Portal and it
has to be done,
Either when user/administrator accesses the multi-tenant application first time.
Or by constructing the Admin Consent URL and sharing it with the Administrators of the other tenants.
Below is an example of the Admin Consent URL:
https://login.microsoftonline.com/organizations/v2.0/adminconsent
?client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https://graph.microsoft.com/Calendars.Read https://graph.microsoft.com/Mail.Send
&redirect_uri=http://localhost/myapp/permissions
&state=12345
For more information please refer the below links:
MS Q&A: AADSTS65001: The user or administrator has not consented to use the application .
BLOG - Fixed – AADSTS65001: The user or administrator has not consented to use the application with ID
I have a question regarding a multi-tenant App Registration in Azure AD. The first time a user logs in through the app it will ask him to grant his consent to access some of his data if necessary or ask an administrator to grant a tenant level consent. This is just fine.
But what if a change is made to the App Registration (Logout URL modified for example)? Is it possible that the users that never used the app registration already will need to grant their consent or that a tenant administrator might need to give his consent again?
Changing your redirect URLs or logout URL will not cause the consent to be prompted for again.
Changing the configured permissions also won't cause users who have already granted consent to have to grant consent again (but the app will only have the permissions it had been originally granted).
Users will only be prompted for consent in the following situations:
If your application dynamically requests a permissions which has not been granted (e.g. scope=https://graph.microsoft.com/Mail.Read, if Mail.Read has not been granted.
If your application requests access to ".default" for a resource, and no permissions have been granted for that resource. For example, if you application requests scope=https://graph.microsoft.com/.default and no delegated permissions for Microsoft Graph have been granted, the user will be prompted for consent (for all permissions configured in the app registration). If any permission for the requested resource have been granted, the user will not be prompted for consent.
If your application forces user consent using prompt=consent. Don't do this—there is almost no situation where this is necessary. (Read a lot more on this at https://stackoverflow.com/a/60151790/325697.)
Yes. If you modify properties such as redirect url, permissions, logout url and so on, you have to make admins from other tenant do the admin consent again to make it effective.
Using admin consent url is the quickest way:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
I have registered a sample multi-tenant app in azure portal app registration requiring certain permissions to access outlook mails. I also have a SAAS application which uses this app and requests for oauth token from users to read and send emails using outlook.
There is a tenant with a set of users who want to use my app for configuring emails in the SAAS application. But the users in the tenant do not have admin privileges to give consent to the application. Based on MS documentation, admin has to give consent to the application using the v2-permissions-and-consent
Admin has given consent to the application by using the following URL:
https://login.microsoftonline.com/{tenant ID}/v2.0/adminconsent?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxb&state=12345&redirect_uri=https://c9713e1c5859.ngrok.io/auth/outlook/callback&scope=https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send&response_type=code
Admin consented permissions:
consented permissions
Even after admin gives consent to all the permissions that the app requests and adds the users to the configured enterprise application in Azure AD, the users are shown the approval prompt when they try to login to the application.
Approval prompt shown to the users :
approval prompt
Ideally, once the app is approved in Azure AD Enterprise Applications, all the other users in the tenant should be able to use the application without any consent requirement.
The oauth URL that users use to login is
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fc9713e1c5859.ngrok.io%2Fauth%2Foutlook%2Fcallback&response_type=code&scope=offline_access+https%3A%2F%2Foutlook.office.com%2FUser.Read+https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office.com%2FSMTP.Send&state=5bfc1a7683bfa19468e7d4d67fc6893e5a00f93efe31ca51
Could anyone help me understand what I am missing here?
It should be agreed by the target tenant administrator, and then use the target tenant to log in.
In below url, you should have used wrong {tenant ID}, it should be target tenant id. Not the tenant id where your app is located.
https://login.microsoftonline.com/{tenant ID}/v2.0/adminconsent?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxb&state=12345&redirect_uri=https://c9713e1c5859.ngrok.io/auth/outlook/callback&scope=https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send&response_type=code
I have tested it, then reproduced your problem. If you need further help, please let me know.
I'm trying to figure out how to integrate an external app with Microsoft CDS Web API. The first step would be to try the Wep API with Postman. Following this document I could authenticate and make requests to the API using the client id provided in the document. However, when I try to register my own app in my AAD, I can't get the access token in Postman without having first to request the admin for consent.
I followed the instructions in this document to register the app, plus I allowed implicit flow. A did this in a trial account, where I'm the admin and then I tried retrieving the token with an user of another tenant (where I'm not an admin) it tells me to ask the tenant for consent.
Do you know how to register the app without non-admin users having to request admin consent?
Edit:
The registrated app has the following permissions, where none of them require admin consent:
Screenshot of the selected permission
The tenant which the non admin-users belong to has the following configuration for users being able to consent access:
Screenshot of user settings
Anyway, I assume these last settings would not be the problem because when requesting the token with the client id provided by Microsoft in the example of the first link, I do not require the consent from the admin.
Just for the sake of clarity, this is the step that I would like to remove from the authorization process:
Screenshot of the consent request screen
First of all you need to know that not all permissions require admin consent.
Dynamics CRM user_impersonation permission doesn't require admin consent.
But you need to make sure all the permissions added into your registered app don't require admin consent. As long as any permission requires admin consent, then admin consent cannot be bypassed.
Besides, make sure this configuration has been abled in the tenant(which the non-admin users are from).
UPDATE:
You are correct. After testing, I found that this permission does require admin consent. I believe this is an error in the documentation. It seems that the conclusion is that we cannot bypass admin consent.
As you see my new registered app registration it's an app that only requires users to login.
Anything beyond the minimal requirements to work. I don't configured it to request any special sort of permission
When i Try lo login this message appears
"Application needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it"
Why? The permissions the app is requesting are just basic ones . I don't understand why an admin consent is required.
Many thanks
There are two possible reasons why users can't consent to User.Read:
User consent is disabled or restricted. Each customer can choose to disable or limit user consent to applications. In a tenant where user consent is disabled, for example, users can't consent to any permission.
Azure AD > Enterprise apps > User settings > Users can consent to apps...
The app requires assignment. When an application is configured to require assignment for users to be able to sign in, users are not allowed to consent to that application.
Azure AD > Enterprise apps > (select app) > Properties > User assignment required?
Most possible reasons for any administrator consented issue,
App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.
Certain delegated permissions also require a tenant administrator’s consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administrator’s consent.
Possible Solutions,
The prompt=admin_consent parameter(which request permissions from admin) can be used as a parameter in the OAuth2/OpenID Connect authorization request to grant the admin consent .
Enable the admin consent workflow , which gives end users a way to request access to applications that require admin consent.
Refer the permissions documentation for the Microsoft Graph API indicate which permissions require admin consent.
Please refer admin consent endpoint for more details.