How can I grant consent to my own app in azure, in case I am not global admin in tenant?

Question

Given I have created an app using this repository in Azure. And this app is deployed using a Service Principal which was created by below command:

az ad sp create-for-rbac --name "fxpricepredictor" --role contributor --scopes "/subscriptions/YOUR-SUBSCRIPTION-ID/resourceGroups/YOUR-RESOURCE-GROUP-NAME" --sdk-auth

Now, I need to get the API token to manage my created resources using REST APIs. Based on documentation, I should be able use my tenantId, clientId and client_secret to get the token by calling the bellow endpoint:

curl: POST
https://login.microsoftonline.com/{{tenantId}}/oauth2/token

Please notice that, I am not the global admin in the tenant.

The official sample postman collection is here and here is how my request looks like in postman:

Sadly the endpoint does not provide me the token and instead it returns such error:

{
    "error": "unauthorized_client",
    "error_description": "AADSTS700016: Application with identifier 'MY_CLIENTID' was not found in the directory 'MY COMPANY'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 5a9a2c53-c3c8-46da-a1a6-551b42082400\r\nCorrelation ID: bf7c5966-ffa4-4312-8a77-434c2560d65a\r\nTimestamp: 2022-10-05 14:54:23Z",
    "error_codes": [
        700016
    ],
    "timestamp": "2022-10-05 14:54:23Z",
    "trace_id": "5a9a2c53-c3c8-46da-a1a6-551b42082400",
    "correlation_id": "bf7c5966-ffa4-4312-8a77-434c2560d65a",
    "error_uri": "https://login.microsoftonline.com/error?code=700016"
}

please notice, I hided some sensitive values in error response by MY_CLIENTID and MY COMPANY

So, i guess, the main reason that i am facing this issue is that:

This can happen if the application has not been consented to by any user in the tenant.

Meaning that, i should consent my own app. Am I right ?

So, my question is:

1. How can i get the token to work with REST APIs to manage my resources ?

2. How can I grant consent to my own app, given that I am not a global Admin ?

---

Update: As I figured out, I should be able to Grant Consent to my app using "Microsoft Graph permissions reference". And here is what i have done:

1. Login to Azure portal

2. Navigate to "Azure Active Directory"

3. Navigate to "App registrations"

4. Click on the created APP ("fxpricepredictor")

5. Navigate to "API permissions"

6. Click "Add a permission"

7. Click on "Microsoft Graph"

8. Choose "Delegated Permissions"

9. Search for "authentication" ---> (Sadly this option also requiereds Admin Consent)

Answer 1

I tried to reproduce the same in my environment and got the below results:

When I ran the same command as you, one Azure AD application named fxpricepredictor is automatically created with details like below:

az ad sp create-for-rbac --name "fxpricepredictor" --role contributor --scopes "/subscriptions/<subscriptionID>/resourceGroups/<resourcegroupName>" --sdk-auth

By including above details as parameters, I am able to generate access token successfully via Postman like below:

Please note that, I don't have global administrator role and granting admin_consent is not really required.

With the above access token, I am able to fetch and manage the Azure resources in that resource group like below:

GET https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups/SriTest/resources?api-version=2021-04-01

Response:

The error AADSTS700016 may also occur if there is no application in your tenant with provided ClientID.

I tried including random ClientID which does not exist in Azure AD tenant and got same error as below:

So, make sure to check whether the application is existing or not with the given ClientID in Azure AD tenant.