Azure AD admin consent required when it shouldn't

5
votes

I have 2 tenants:

  • One for my organization, where I manage users (A)
  • One that I manage the applications and permissions (B)

My webapp is on tenant A and I configured authentication on the portal using Azure AD on tenant B.

On tenant B I registered the application with only one permission which does not require admin consent: Windows Azure Active Directory > Sign in and read user profile.

enter image description here

When the user logs in he gets the following error:

AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

I believe that this error should not be raised, since the only permission required by the application doesn't required admin.

EDIT

This is the URL that I am redirected to when I try to access the application when I'm not logged in

https://login.microsoftonline.com/d6ac45af-3289-4f79-a826-27824e1c467d/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Ftechnipfmc-tools-app-test.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=d340f0ed-5eb3-43e8-9a50-c449649f3ee1&scope=openid+profile+email&response_mode=form_post&nonce=1895ec0ffef64447bbb712bdae61c7fb_20170521070654&state=redir%3D%252F

EDIT 2

I found out a solution here:

As an administrator, you can also consent to an application's delegated permissions on behalf of all the users in your tenant. This will prevent the consent dialog from appearing for every user in the tenant. You can do this from the Azure portal from your application page. From the Settings blade for your application, click Required Permissions and click on the Grant Permissions button.

I don't know why had to do that since I'm only using permissions that don't require admin consent.

2
azure-active-directory
There's a setting in Azure AD that, if toggled, will prevent users from doing any consent at all themselves, requiring admin consent for any permission whatsoever. I would check if this setting is enable on your tenant A. This setting is in Azure Active Directory > User settings > Enterprise Applications: Users can consent to apps accessing company data on their behalf.Saca
are you using multi tenancy? I am having a similar problem, but in my case I am guessing that Admin consent will always be required the first time round when a new tenant tries to access the environment via the (common) app registrationJurgen Cuschieri

2 Answers

3
votes

There are several potential problems with your setup:

  1. Your authorization request is set to a specific tenant, the one with tenantId d6ac45af-3289-4f79-a826-27824e1c467d. Only users from that tenant will be able to log in. If this tenantId corresponds to the one for your organization, where you manage users (A), then disregard this point. Otherwise you should either replace this with the tenantId of that tenant or with common which will allow users from any tenant to sign in.
  2. Your application is not multi-tenant. For testing purposes, I replaced the tenantId with common and wasn't able to use this with my test tenant due to the following error: AADSTS70001: Application with identifier 'd340f0ed-5eb3-43e8-9a50-c449649f3ee1' was not found in the directory <MY_TEST_TENANT>. This indicates that the application isn't configured as a multi-tenant application. This is something you must explicitly turn on.
  3. Your organization's tenant (A) might have disabled the ability for regular users to consent to applications. If this capability is disabled, admin consent is always required for the application to be set up in the tenant. To test to see if this is the case, address points #1 (use /common/) and #2 above and try with any other tenant. If you are able to consent with that other tenant but not your organization's tenant, then you'll know that admin consent is required for your organization.

You should check out the How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern article as it explains all of the points above in more detail.

0
votes

I think that error appears when you are passing "&prompt=admin_consent" in the Login URL.

Even though you are not requesting Admin permissions, if you pass that query string, it will try to show you a consent dialogue so that you can consent on behalf of the whole tenant, which is an operation that only an admin can do.