I am setting up an App Registration in the Azure AD portal to be used with my sample ASP.Net Core 2 web app. For starters, I want to get basic authentication working. I am configuring this app to enable only one permission, "Sign in and read user profile", note that it does not require admin permission:
However, when I run my web app and attempt to authenticate against this client ID, I get the "AADSTS90094: The grant requires admin permission" error:
You can't access this application
AspNetCoreAdAuth needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
This is the URL that my app uses to authenticate (with some sensitive or irrelevant data removed):
https://login.microsoftonline.com/<my_tenant_id>/oauth2/authorize?client_id=<my_client_id>&redirect_uri=<my_redirect_uri>&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=<gibberish>&state=<giberrish>&x-client-SKU=ID_NET&x-client-ver=2.1.4.0
Majority of solutions on SO and elsewhere propose to simply use the "Grant Permissions" button to get past this error. However
- As a developer I don't have admin rights
- Asking an admin to grant this permission for everyone seems like a sledgehammer approach
- I'd like to understand why this is happening or what am I doing wrong that causes this to not work the way it seems it should work
Any ideas?
