9

I've created an application in https://apps.dev.microsoft.com (Platforms: Web)

This app needs the admin consent for certain permissions. I remember, in the past, accessing https://login.microsoftonline.com/{tenant name}/adminconsent?client_id={application id}&state={some state data}&redirect_uri={redirect uri} with an admin account in order to give permission to access resources in our organization that only an admin can grant. From there, users needed to give user-level consent in order to use the application.

Now, I can successfully login with an admin account and the app works as expected BUT I still get a prompt, for users, with the following message:

You can't access this application APP NAME needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

Have an admin account? Sign in with that account

Return to the application without granting consent

The error message is: AADSTS90094: The grant requires admin permission. which doesn't seem to be documented anywhere..

If I click on the Have an admin account? Sign in with that account and sign in with an admin account, it works but trying again with a regular user account I get the above message again.

enter image description here

EDIT: So I stripped permissions down to a bare minimum. Scopes in my application are now: openid, profile, user.read And Microsoft Graph Permissions are now, for Delegated Permissions: Mail.Send, User.Read. Nothing in Application Permissions and I STILL get the above message for regular users! Anybody from Microsoft have some info on the AADSTS90094 error code?

katalin_2003
  • 787
  • 1
  • 16
  • 30
  • I'm just investigating the same problem for my multi tenant application. Have you found anything yet? – sergej Oct 11 '17 at 16:27
  • Hello @sergej, nothing yet sadly. It took the best part of my day. Not sure what changed the past few months, a similar app with similar rights used to work after the one-time admin consent. It now seems like the admin consent has no effect and users can't connect. – katalin_2003 Oct 11 '17 at 17:45
  • Could you please show the permissions you added for graph api ? – Nan Yu Oct 12 '17 at 01:24
  • Hello @NanYu. Sure here's they are `openid profile user.read.all user.read user.readbasic.all directory.readwrite.all mail.send offline_access` . I need the `offline_access` for the refresh token. – katalin_2003 Oct 12 '17 at 07:54
  • I only get this AADSTS90094 error with Office365 owned accounts. I do not get this error with gmail, hotmail or ooutlook.com . I am not using Graph API, only Windows Azure Active Directory api. I am using no application permissions. Only the two delegated user permissions Directory.AccessAsUser.All and User.Read . – Sql Surfer Nov 09 '17 at 18:20

3 Answers3

2

OK, so I ended up contacting Microsoft support for this since, as of this date, there is no information on this error message.

To put it briefly, Microsoft has made some recent changes with regards to permissions. In the past, if your app required any of the openid, profile or offline_access, you could just place them in your app as scopes, they weren't available on https://apps.dev.microsoft.com. An admin would've given consent and your app would function properly.

What you should now do is mirror your app's scopes with the permissions you have on https://apps.dev.microsoft.com or else you'll keep on getting that error message so make sure you have the same thing on both sides now, especially if you're used to the old behavior.

Those three scopes/permissions (openid, profile and offline_access) can now be selected for your app on the dev portal.

katalin_2003
  • 787
  • 1
  • 16
  • 30
  • Can you add a little detail about what you mean by adding "Scopes" to your application? – Sam Oct 31 '17 at 18:12
  • 1
    Hello @Sam. Sure thing. In order to retrieve an access token you need to pass some scopes with your request. They'll be used in an URL similar to: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?state=TDDBBAE9x40TQ4JKFHOSA&scope=openid+profile+user.read+mail.readwrite+mail.send+offline_access[...]` . Notice the `openid`, `profile`, `user.read` etc.., those are scopes. What MS recently changed is that one now needs to have the same scopes on both sides, the application as well as on `https://apps.dev.microsoft.com`. Don't hesitate if you need more help. – katalin_2003 Nov 02 '17 at 09:17
  • Thanks for posting your findings here. I am facing a similar issue and am wondering whether your solution would work for me, but I cannot find the UI for defining scopes on https://apps.dev.microsoft.com. All I see there is an editor for the manifest file. Has something changed since you posted? I seem to remember that site looking differently... – July.Tech Jan 06 '18 at 04:34
  • @July.Tech I can't use the chat yet but I'll check as soon as possible and let you know. I didn't need to perform any change to the manifest file. – katalin_2003 Jan 07 '18 at 02:27
  • @July.Tech Just checked. Nothing changed, it looks the same. I can edit my permissions just like before. What platform are you developing for? – katalin_2003 Jan 07 '18 at 02:33
  • Thanks for checkin @katalin_2003. Here is what I see as soon as I log in to https://apps.dev.microsoft.com: https://i.imgur.com/wshY9sZ.png. If I click on the application name I get: https://i.imgur.com/294lwYJ.png and that's it. I do remember that there used to be a different UI, where one could define scopes and whatnot, which is why I suspected there was a change. – July.Tech Jan 08 '18 at 03:54
  • 1
    @July.Tech This is happening because you created application via azure portal. Instead if you create your application directly via https://apps.dev.microsoft.com/ you would be able to see application details and the permissions tab from which you would be able to grant permissions. – ajinkya udgirkar Jan 12 '18 at 07:23
  • @Sam Do we need to provide permissions for both "Delegated" and "Application" permissions. Because "Application" permissions does not have scopes for offline_access, openid, profile. Please could you confirm the same. – ajinkya udgirkar Jan 12 '18 at 07:41
  • Sorry - I didn't get an answer for this - and I elevated this to Microsoft Premier support who effectively told me there wasn't an answer and to try again in a year. The Azure application creation is a bit of a mess right now, and these scopes don't work if you are using an Azure portal with any permissions locked down (e.g. in an Enterprise). – Sam Jan 13 '18 at 13:20
  • I dont understand how to solve this problem. What do you mean both sides please. – Ragavan Rajan Dec 23 '18 at 21:40
  • @Ragavan Rajan I mean you should have the same permissions on the `https://apps.dev...` site as in your code. – katalin_2003 Dec 26 '18 at 16:51
0

The admin consent endpoint doesn't help in dynamic scope and dynamic consent scenario .

Using the admin consent endpoint will grant the permissions registered in the app registration portal . You can locate Microsoft Graph Permissions section, and then add the permissions that your app requires. After doing admin consent by using the admin consent endpoint , your app can gather permissions for all users in a tenant, including admin-restricted scopes .

Nan Yu
  • 26,101
  • 9
  • 68
  • 148
  • I don't need dynamic scope or consent. The message pops-up right after a user logs in. This is what I have in the application portal: Delegated Permissions: `Mail.Send`, `User.Read`, `User.ReadBasic.All`, `User.Read.All (Admin Only)` . Application Permissions: `Directory.ReadWrite.All (Admin Only)`, `User.Read.All (Admin Only)` . What do I need to change? – katalin_2003 Oct 12 '17 at 09:25
  • I test your scenario , the result is currently well-known scopes(openid,profile,offline_access) would ask for user's consent once after admin consent . That should be consent default . But i haven't reproduced your scenario that admin scope still need to be consent by user after admin consent . – Nan Yu Oct 13 '17 at 06:54
-1

I am using MSAL and the 2.0 endpoint (login.microsoft...), I am developing a Multi-Tenant Application.

My Organization has 2 Tenants

One of them is essentially our Dev instance (and I have global admin rights). I registered my app in the Tenant that I don't have Admin Rights on and performed Admin Consent for said app in the Tenant where I can perform the Consent myself. My users can Login Successfully and have consent to the resources they need.

However, when I created the App Registration (all Converged Apps on apps.dev.mic) from the account where I have global admin rights, the login for my users gets the AADSTS90094 Error.

The only way I've come to "resolve" this error is,

On Initial Login to the application the scope would be openid the user then consents to that, when that is completed I have to do another login with the scope defined for the application and everything works. Obviously that UX is wonky to say the least.

Muhammad Omer Aslam
  • 22,976
  • 9
  • 42
  • 68
drkchiloll
  • 1
  • 1
    Please format your answer better, it is very hard to distill information that is helpful, while the OP might actually try something that you have done. You don't have to describe your entire setup and what you're creating. Simply suggest a solution and explain why it might help, use comma's, whitespace and correct capitalization. – Glubus Feb 01 '18 at 13:23