I'm hoping someone has some insight into an issue I'm having with a newly registered app within Microsoft's Azure Portal (portal.azure.com).
My issue on login when I get the following dialog
The error code and message appears in the lower right corner;
AADSTS90094: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
Configuration-wise, I believe I have this setup to not require admin consent, however there maybe something I'm missing.
My app is configured with;
Id Token, single tenant (web) application
Delegated, user consent permissions with no admin permissions
With the enterprise application, the configuration is set to;
- Enabled for users to sign-in:
Yes
- User assignment required:
Yes
- Visible to users:
Yes
- 4 users have been added with the
Default Access
role - Allow users to request access to this application:
No
(as they are assigned)
Last of all, within the azure directory itself under the Enterprise applications - User settings configuration I have set the company data user consent to Yes
When I navigate to either my application URL, or from the app within myapps.microsoft.com
, both give me the above dialog requesting an admin consent.
I don't want to grant admin consent if not required, as it seems a bit like using a sledgehammer to solve the problem.
I feel like I'm either missing something big, or doing something silly - please help, and let me know if I can provide further information.
Edit 1.1:
My authentication request URL is: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<clientid>&redirect_uri=<redirecturi>&response_mode=form_post&response_type=code id_token&scope=openid email profile offline_access User.Read User.ReadBasic.All Mail.ReadWrite&state=OpenIdConnect.AuthenticationProperties=<gibberish>&nonce=<gibberish>&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0
(I'm using ASP.NET MVC combined with Microsoft's OpenId Connect authentication library)
&prompt=consent
to the authentication request URL, see docs.microsoft.com/en-us/azure/active-directory/manage-apps/… – Joy Wang-MSFT