administrator has not consented to use the application — Azure AD

2
votes

I am trying to obtain a token from Azure AD from Python client application. I want users to seamlessly authenticate with just a username and password (client_id / secret will be embedded in the app). I registered my app and given it all permissions and hit the "grant permissions" button in the new portal according to this post:

The user or administrator has not consented to use the application - Send an interactive authorization request for this user and resource

I am sending an http post to:

https://login.microsoftonline.com/{tenant_id}/oauth2/token

with the following data:

headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}

body = "resource={0}&grant_type=password&username={1}&password={2}&client_id={3}&client_secret={4}&scope=openid".format(app_id_uri,user,password,client_id,client_secret)

I cannot seem to get past this error no matter what I try:

b'{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID \'078c1175-e384-4ac7-9116-efbebda7ccc2\'. Send an interactive authorization request for this user and resource.

Again, my goal:

User enters user / pass and nothing else. App sends user / pass / client_id / client_secret, obtains token.

2
pythonazureoauth-2.0azure-active-directoryazure-ad-graph-api
Could you check your oauth2PermissionGrants with Graph Explorer? Example here: graphexplorer.cloudapp.net/Home/Index/…. Find if your app's service principal has been granted the proper access to the resources.juunas
So i'm not 100% sure what i'm looking at here, but when I put in "graph.windows.net{my_dir}/oauth2PermissionGrants, I see a "value" array with 3 service principals in it, each having a clientID, none of which correspond with the client_id of my app. Guessing this might be the culprit? I still don't know how to grant it, if so.Progger
The client id there is actually the object id of the service principal :) So find your service principal first from the servicePrincipals endpoint.juunas
ok, so it is in there, but how do I know if it has "proper" access? the value next to "scope" is: "Directory.ReadWrite.All Directory.Read.All Member.Read.Hidden User.Read User.ReadBasic.All User.Read.All Group.Read.All Group.ReadWrite.All Directory.AccessAsUser.All", ... which is likely the result of me checking everything I could check in the app permissions.Progger
Is the consentType set to AllPrincipals or Principal on the oauth2PermissionGrant? Because if it is AllPrincipals then it means admin consent has been given.juunas

2 Answers

2
votes

According to your comment:

The message I'm receiving says to do an interactive request but that is exactly what I'm trying to avoid because this is a python app with no web browser and I'm trying to avoid complexity.

I think you want to build a daemon app or an app only application integrating with Azure AD. You can refer to https://graph.microsoft.io/en-us/docs/authorization/app_only for the general introduction.

Furthermore, you can leverage the ADAL for Python to implement this functionality with a ease. Also, you can refer to client_credentials_sample.py for a quick start.

0
votes

You should try logging in as an admin to be able to give consent to use the application on your tenant at all.