Azure ADAL with Xamarin, No admin consent error

0
votes

I think this should be an easy fix but I've been looking at it for hours. I downloaded this sample on using ADAL with Xamarin and I'm just trying to get it to work as expected in the UWP project.

I am pretty sure my issue is in my Azure Portal configuration as I've changed the values in the sample correctly. Here is what I have done in Azure Portal though

  1. Made an Active Directory
  2. Made an application in that directory for a native app
  3. Configured these permissions and granted all permissions on each for now - Windows Azure Active Directory, Microsoft Graph, Windows Azure Service Management, Office 365 Management APIs
  4. In the app, after signing in, the app posts a AADSTSTS65001 the user or administrator has not consented to the use the application with id {id} -but I never actually get a consent prompt, and I am already a user in the active directory.

Any ideas?

3
azurexamarinazure-active-directoryadal

3 Answers

0
votes

After build Msal is the supported library that handles ad authentication. So for xamarin you could check the samples for the newest library

0
votes

Consent only gets triggered once per user (unless admin consent is performed in which case it doesn't show up at all for users).

Once consent granted, any changes to what permissions the app needs are not automatically added to existing consents nor does the system automatically prompt the user again for consent.

I suspect this might be your case, basically you started out setting up your app to required basic priviledges, ran the app and consented. Then you added more priviledges, some of which required admin consent, and ran the app. Because you had already consented, you weren't prompted again, but that initial consent didn't include those new permissions so you get an error.

You should be able to remove existing consent via Access Panel:

  1. Go to https://myapps.microsoft.com
  2. Find your app and click on ...
  3. Select Remove.

NOTE: You can also do this via Graph but it requires a lengthy explanation.

0
votes

There is a way to manually trigger the consent through the browser too if this is a once-only issue.

https://login.microsoftonline.com/<tenant>/oauth2/authorize?client_id=<client ID>&response_type=code&redirect_uri=<redirectionURI>&response_mode=query&resource=<resource ID for the AAD resource to access>&state=12345&prompt=consent