I have an Azure AD multi tenant application which has a single role defined and enabled. Also, none of the permissions I have defined require admin consent.
Case 1: Roles are disabled on the other tenant
All users from the other tenant can login to the app. I believe that is because the permissions that I have set do not require admin consent.
Case 2: Roles are enabled on the other tenant
Even after a role is assigned to a non-admin user, the user is not able to login. He sees a screen showing that admin consent is required. However, once the admin from the other tenant has logged in once, users in the other tenant are able to login. I am not sure why.
Are the admin consent and app roles functionality related? The desired behavior is even if roles are assigned and enabled, admins shouldn't need to login and give consent since the permissions set by the developer don't need admin consent. Can someone tell me how can I achieve the desired behavior? I don't want to add another button for admin to 'signup' before others can 'signin'. Also, I can't move to v2 endpoint as I believe it does not have the roles functionality and other possible limitations.
Customer Tenant
Token request using OpenIdConnect
app.UseOpenIdConnectAuthentication(
new OpenIdConnectOptions()
{
AutomaticChallenge = true,
ClientId = [ClientId],
Authority = [AADInstance],
CallbackPath = [CallbackPath],
TokenValidationParameters = new TokenValidationParameters(
SaveSigninToken = true;
ValidateIssuer = true;
// Custom validator for issuer/tenant
IssuerValidator = ValidateIssuerValue;
RoleClaimType = ClaimTypes.Role;
),
Events = new CustomOpenIdConnectEvents()
} );
Thanks
-Ravi