Microsoft Graph API - AADSTS90094: The grant requires admin permission

9
votes

I've created an application in https://apps.dev.microsoft.com (Platforms: Web)

This app needs the admin consent for certain permissions. I remember, in the past, accessing https://login.microsoftonline.com/{tenant name}/adminconsent?client_id={application id}&state={some state data}&redirect_uri={redirect uri} with an admin account in order to give permission to access resources in our organization that only an admin can grant. From there, users needed to give user-level consent in order to use the application.

Now, I can successfully login with an admin account and the app works as expected BUT I still get a prompt, for users, with the following message:

You can't access this application APP NAME needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

Have an admin account? Sign in with that account

Return to the application without granting consent

The error message is: AADSTS90094: The grant requires admin permission. which doesn't seem to be documented anywhere..

If I click on the Have an admin account? Sign in with that account and sign in with an admin account, it works but trying again with a regular user account I get the above message again.

enter image description here

EDIT: So I stripped permissions down to a bare minimum. Scopes in my application are now: openid, profile, user.read And Microsoft Graph Permissions are now, for Delegated Permissions: Mail.Send, User.Read. Nothing in Application Permissions and I STILL get the above message for regular users! Anybody from Microsoft have some info on the AADSTS90094 error code?

3
phpazureoffice365azure-active-directorymicrosoft-graph-api
I'm just investigating the same problem for my multi tenant application. Have you found anything yet?sergej
Hello @sergej, nothing yet sadly. It took the best part of my day. Not sure what changed the past few months, a similar app with similar rights used to work after the one-time admin consent. It now seems like the admin consent has no effect and users can't connect.katalin_2003
Could you please show the permissions you added for graph api ?Nan Yu
Hello @NanYu. Sure here's they are openid profile user.read.all user.read user.readbasic.all directory.readwrite.all mail.send offline_access . I need the offline_access for the refresh token.katalin_2003
I only get this AADSTS90094 error with Office365 owned accounts. I do not get this error with gmail, hotmail or ooutlook.com . I am not using Graph API, only Windows Azure Active Directory api. I am using no application permissions. Only the two delegated user permissions Directory.AccessAsUser.All and User.Read .Sql Surfer

3 Answers

2
votes

OK, so I ended up contacting Microsoft support for this since, as of this date, there is no information on this error message.

To put it briefly, Microsoft has made some recent changes with regards to permissions. In the past, if your app required any of the openid, profile or offline_access, you could just place them in your app as scopes, they weren't available on https://apps.dev.microsoft.com. An admin would've given consent and your app would function properly.

What you should now do is mirror your app's scopes with the permissions you have on https://apps.dev.microsoft.com or else you'll keep on getting that error message so make sure you have the same thing on both sides now, especially if you're used to the old behavior.

Those three scopes/permissions (openid, profile and offline_access) can now be selected for your app on the dev portal.

0
votes

The admin consent endpoint doesn't help in dynamic scope and dynamic consent scenario .

Using the admin consent endpoint will grant the permissions registered in the app registration portal . You can locate Microsoft Graph Permissions section, and then add the permissions that your app requires. After doing admin consent by using the admin consent endpoint , your app can gather permissions for all users in a tenant, including admin-restricted scopes .

-1
votes

I am using MSAL and the 2.0 endpoint (login.microsoft...), I am developing a Multi-Tenant Application.

My Organization has 2 Tenants

One of them is essentially our Dev instance (and I have global admin rights). I registered my app in the Tenant that I don't have Admin Rights on and performed Admin Consent for said app in the Tenant where I can perform the Consent myself. My users can Login Successfully and have consent to the resources they need.

However, when I created the App Registration (all Converged Apps on apps.dev.mic) from the account where I have global admin rights, the login for my users gets the AADSTS90094 Error.

The only way I've come to "resolve" this error is,

On Initial Login to the application the scope would be openid the user then consents to that, when that is completed I have to do another login with the scope defined for the application and everything works. Obviously that UX is wonky to say the least.