Why admin grant is required if my app is only requesting User.Read permission?

0
votes

As you see my new registered app registration it's an app that only requires users to login. Anything beyond the minimal requirements to work. I don't configured it to request any special sort of permission

enter image description here

When i Try lo login this message appears "Application needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it"

Why? The permissions the app is requesting are just basic ones . I don't understand why an admin consent is required.

Many thanks

2
azureazure-active-directory
Whenever your users attempt to login it needs to issue a token for them that's why it requires to check permission each time to make sure that it has required permission along with admin consent. Hope you understand.Md Farid Uddin Kiron
@MdFaridUddinKiron yeah, but my question it's why, If i am not requesting for admin-consent privielges, it forces to it when I am logging in. I want the users to log in without the requirement of an admin providing consentX.Otano
This permission won't ask you for admin consent. You need to check your code if it is requesting other resources or permissions.Tony Ju
It will ask for a user consent for the first time.Tony Ju
I downloaded the sample code from Azure portal, so it is not requesting anything special. @TonyJuX.Otano

2 Answers

0
votes

Most possible reasons for any administrator consented issue,

  1. App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.
  2. Certain delegated permissions also require a tenant administrator’s consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administrator’s consent.

Possible Solutions,

  1. The prompt=admin_consent parameter(which request permissions from admin) can be used as a parameter in the OAuth2/OpenID Connect authorization request to grant the admin consent .
  2. Enable the admin consent workflow , which gives end users a way to request access to applications that require admin consent.
  3. Refer the permissions documentation for the Microsoft Graph API indicate which permissions require admin consent.

Please refer admin consent endpoint for more details.

1
votes

There are two possible reasons why users can't consent to User.Read:

  1. User consent is disabled or restricted. Each customer can choose to disable or limit user consent to applications. In a tenant where user consent is disabled, for example, users can't consent to any permission.

    Azure AD > Enterprise apps > User settings > Users can consent to apps...

  2. The app requires assignment. When an application is configured to require assignment for users to be able to sign in, users are not allowed to consent to that application.

    Azure AD > Enterprise apps > (select app) > Properties > User assignment required?