1

I want to use azure active directory as my authentication provider for my Spring boot application. Which seems to be quite easy as long as you've got either admin rights yourself or you know someone with admin rights who can give you permission for the tickbox "Directory.AccessAsUser.All". Unfortunatly I dont have that. I know due to other successful projetcs that azure itself gives the oppertunity to still act as an authentication provider even without given any permission to the API Call permission section. When I start the Server and go on localhost:8080/home whilst tracking my network traffic I can see in the Autherization file the following scope: openid profile https://graph.microsoft.com/User.Read https://graph.microsoft.com/Directory.AccessAsUser.All

So My Idea of Handling this is to reducing the scope of the Authorization request spring is asking for, to meet the authorization scope which I allowed in azure. Which is all of them but the last one as mentioned before. I tried to configure the scope in my application.propertie with the following: spring.security.oauth2.client.registration.azure.scope=openid

So what happens is after im trying to access my application online im redirected to the mircosoft login page. After putting in my details im getting this:

In order to be able to access resources in your organization, requires authorization that only an administrator can grant. Ask an administrator to grant permission for this app so that you can use the app.

Has anyone an Idea of how to handle this? I'd be greatfull for any help!

Hendrik
  • 11
  • 2
  • You mean that you don't have administrator roles, but when you log in to the application, it will pop up a page that requires administrator consent, and your purpose is to use permissions that you don't need administrator consent, right? – Carl Zhao Mar 10 '21 at 02:02
  • That is correct. And I 'know' that the problem is the Directory.AccessAsUser.All as Spring is asking for that in the authorization request but in my azure portal I cant allow it as for the missing admin rights. – Hendrik Mar 11 '21 at 08:29
  • Then why don't you delete it in the portal? – Carl Zhao Mar 11 '21 at 08:39
  • The tickbox Directory.AccessAsUser.All was never allowed. Therefore I cant delete it. And to allow it I need admin rights. – Hendrik Mar 11 '21 at 08:52

2 Answers2

0

I think you can only log in as an administrator, because you are using the SDK provided by Microsoft when you log in, so you cannot customize the scope of permissions in application.propertie.

When you log in to the application, it will require you to consent to all permissions. If you just log in as a user, you cannot consent to all permissions. So, at least in the login module, I think it cannot meet your requirements.

Usually we can customize the scope of permissions only when requesting an access token. For example, if you only need to read user permissions, you can set: scope: https://graph.microsoft.com/User.Read .

Login sample.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
0

Ok, I found the Problem. In my application.property I had this line of code azure.activedirectory.user-group.allowed-groups=. That was reponsible for the bigger scope. After deleting it everything worked fine.

Hendrik
  • 11
  • 2