9

We have created a converged application for a public community(AD & live users can login) using Microsoft Graph and the scopes openid, email, profile and user.readBasic.all.

Every thing works fine for live users but some of AD users are not able to login. When they try to login they get the message as

"App needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it."

as per Microsoft document we have prepared admin consent url as

https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&prompt=admin_consent

After admin consent also users are not able to login to the app. Please help us what we are missing here.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
Venuu Munnuruu
  • 285
  • 1
  • 6
  • 17

1 Answers1

5

Your URL is for the v1 Endpoint, not the v2 Endpoint (aka converged endpoint).

It should look like this (line break for readability):

https://login.microsoftonline.com/common/adminconsent?
client_id=[APPLICATION ID]&redirect_uri=[REDIRECT URI]

Note that is it /adminconsent rather than /authorize and there isn't a prompt query parameter. Also keep in mind that you'll need to ensure your registration includes the scopes you want the consent for.

I've written an article that walks you through the entire process that should prove helpful here: v2 Endpoint and Admin Consent

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • Hi Marc, I just tried your answer but no luck, when i am executing url the response i am getting to my callback url is admin_consent = true, tenant = . – Venuu Munnuruu Jan 10 '18 at 05:47
  • That response is telling you that it has been consented. You can then authenticate using the `/authorize` endpoint. – Marc LaFleur Jan 10 '18 at 15:19
  • Hey Marc, Could you please help to understand why it is not working even after Admin Consent. Thanks – Venuu Munnuruu Jan 22 '18 at 16:23
  • In the AD portal we have disabled user consent option which allows users to consent on their own to the apps. That means Admins has to consent on behalf of tenant(one time for each app) then users can login, we are not sure why system is not allowing even after Admin consent. Please guide us if we are missing anything here. – Venuu Munnuruu Jan 25 '18 at 05:11
  • Is the app registered as multi-tenant? I'm not sure what effect this would have but figured I'd ask before going down the wrong rabbit hole. :) – Marc LaFleur Jan 25 '18 at 15:32
  • It is a converged application(created in apps.dev.microsoft.com) which is for a public community(both AD and live users can login) – Venuu Munnuruu Jan 27 '18 at 15:23
  • If it is a Converged App then it is by nature multi-tenant and using the v2 Endpoint. For these applications, you cannot use the Azure AD Portal to consent. If you want to use this within a single tenant and not support User Consent then you should use the v1 Endpoint instead. – Marc LaFleur Jan 27 '18 at 15:26
  • @MarcLaFleur-MSFT Reading your article, you said "Unlike Delegated permission, Application permissions always require administrator consent". So if I have an app setup with application permissions using the v2 endpoint, I *always* have to login to the app using admin creds? There is no way to use Admin Consent to allow the app to function for all users in a tenant if it has application permissions? – James Blake Jan 30 '18 at 23:25
  • 1
    If you're using Application scopes then there isn't a "login" at all. Application scopes only apply to the Client Credentials OAUTH Flow. This flow doesn't prompt for credentials because it is explicitly intended for headless/daemon application scenarios. – Marc LaFleur Jan 31 '18 at 15:18
  • Any update? Have the same problem. Admin grand consent with link https://login.microsoftonline.com/common/adminconsent?client_id=&redirect_uri= But user from that tenant cannot login and get message "App needs permission.." – user1167761 Feb 13 '20 at 15:33
  • There are too many potential reasons for this to try and cover in a comment. – Marc LaFleur Feb 13 '20 at 20:30