For a multi-tenant application, the initial registration for the application lives in the Azure AD tenant used by the developer. When a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application.
This consent experience is affected by the permissions requested by the application. Azure AD supports two kinds of permissions, app-only and delegated.
App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a normal user tries to sign in to the application, your application will get an error message saying the user isn’t able to consent, like :This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator.
If your application uses permissions that require admin consent, you need to have a gesture in your application such as a button or link where the admin can initiate the action. The request your application sends for this action is a usual OAuth2/OpenID Connect authorization request, but that also includes the prompt=admin_consent query string parameter .eg:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_type=code&redirect_uri=&scope=openid&prompt=admin_consent
With this query string , admin consent is needed , if you use a normal user(not admin),you will get the error like:This operation can only be performed by an administrator You could check whether add the query string according to your requirement . In your scenario, you could click here for code sample about how to configure Identity Server4 with Azure AD external login . If you want to force the admin consent flow , you could handle the OnRedirectToIdentityProvider event when configuring the OpenIdConnectOptions, and add the prompt query string parameters by calling the ProtocolMessage.SetParameter method on the supplied RedirectContext :
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AuthenticationScheme = schemeName,
DisplayName = "AzureAD",
SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,
ClientId = clientId,
Authority = $"https://login.microsoftonline.com/{tenantId}",
ResponseType = OpenIdConnectResponseType.IdToken,
StateDataFormat = dataFormat,
Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context =>
{
context.ProtocolMessage.SetParameter("prompt", "admin_consent");
return Task.FromResult(0);
}
}
});