Is Admin consent always required in an Azure AD Multi tenant environment?

1
votes

The environment is configured in a Multi-tenant way. 'AppName' is an App Registration within a common AD which was solely created to give access to users from different tenants to a single environment. For the sake of my description, call the multi-tenants AD1, AD2 and AD3.

This message is displayed when a user from one of these ADs (with no Admin privileges) logs in the first time.

AppName needs permission to access resources in your organization that only an admin can grant

Additionally in the application exception logging I can see the below error

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: "OpenIdConnectMessage.Error was not null, indicating an error. Error: 'access_denied'. Error_Description (may be empty): 'AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant.

The premise is that for a user from AD1 to successfully access the environment, an Admin user from AD1 has to first login and grant admin access. The "common AD" app registration is configured as following.

The Supported account types option in the App Registration is set as

Accounts in any organizational directory (Any Azure AD directory - Multitenant)

The only API Permission is as shown in the image below. The status "Granted for ...." only refers to the "common AD" where the tenant ID resides - it does not grant Admin consent to any AD.

API Permission

The technology being used in the code is ADAL.Net with OpenIDConnect. We are using the: https://login.microsoftonline.com/common (V1.0) endpoint.

In the snippet shown below, found within this url for the only API permission being set in our case.. 'Admin Consent Required' is set as 'No'.

User.Read permission does not require Admin consent

And that is what put me off. Why is the message/error popping up? Is the Admin consent always required because this is a multi tenant scenario? Does this Admin consent, sort of, create the trust between the common AD and the multi-tenant ADs?

1
azureazure-active-directorymulti-tenantadalazure-ad-graph-api

1 Answers

1
votes

Yes. In case of multi-tenancy, admins are required to on-board their tenant. Only after the on-boarding process, users can sign-in. Also, the admin consent which is being shown in the screenshot is not related or dependent on type of tenancy, it is permission specific. App permissions and some delegated permissions require admin consent.

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md