How to allow non-admin users to authenticate via OAuth2.0 for tenants where users are not allowed to consent apps on their behalf?

5
votes

We have an app that uses Office365 OAuth to register and authenticate users (via the allauth.social Django library).

The problem is, when the Microsoft/Azure tenant is configured to restrict non-admin users from "consent[ing] to apps accessing company data on their behalf", users are not able to register and login.

We have tried to grant admin consent either via https://login.microsoftonline.com/{tenant_name}/adminconsent and https://login.microsoftonline.com/{tenant_name}/oauth2/v2.0/authorize?prompt=admin_consent. And although our admin users are able to successfully register and grant the permissions (and also able to retrieve tokens that can be used to impersonate as any user in the tenant), individual users are still not able to register/login to our app, since they are not allowed to complete the OAuth flow. They are just met with the following page: enter image description here

How do we allow non-admin users to login with OAuth when they are restricted from doing so?

P.S. we are using the Microsoft Graph API

1
pythonoauth-2.0azure-active-directory
Not 100% sure I understand the issue, but sounds similar to something I ran into and fixed by going to the AAD app settings page and under Required Permissions > Delegated Permissions, check Sign In and Read User Profile, followed by a Grant PermissionsAdrian Ghiuta
Unfortunately applications registered via the Azure portal do not work with the Graph API. They need to be registered through apps.dev.microsoft.com. I couldn't find a way to manually Grant Permissions for installed apps created via apps.dev as well.john2x
@john2x that's not the case. Apps registered in the Azure Portal can absolutely call the Microsoft Graph API. apps.dev is for registering v2 applications (apps that use the converged endpoints that can sign in Azure AD and Microsoft accounts) whereas the azure portal registers v1 applications (apps that can only sign in Azure AD accounts). Screenshot of Azure Portal w/ Microsoft Graph.Daniel Dobalian
@john2x Can you please specify the exact permissions you are requesting in your application?Navya Canumalla
@NavyaCanumalla permissions for this app are Calendars.ReadWrite, Calendars.ReadWrite.Shared, Contacts.ReadWrite, Mail.ReadWrite, Mail.Send, offline_access, openid, profile, User.Read (imgur.com/a/W9A4v)john2x

1 Answers

6
votes

It looks like you might still need to do admin consent for the app itself (the URLs you share in your question don't include the app ID). You can try doing admin consent for the app using a URL like this one: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&resource={1}&redirect_uri={2}&prompt=admin_consent where:

  • {0} = your client ID
  • {1} = the scope you want to grant permission to
  • {2} = a redirect URI (note: for just forcing admin consent this technically doesn't have to exist because by the time we redirect to it the consent has already happened)

Once you've had an admin consent to the app itself, individual users should be able to log in without needing to go through any consent flows.