0
votes

I'm really hoping someone can explain why admin consent is required in our situation and, if possible, how we can avoid it. The following is a simplified version of our normal application in which I was able to reproduce the issue.

I control two tenants: T1, used for development and where all app registrations/resources live. And tenant T2, where I have control over all user settings and which we use for testing multi-tenancy.

In T1 I've registered two app registration named 'app-frontend' and 'app-api'. Both have a required permission on User.Read on Graph. In addition app-api exposes an (admin and users) scope that is set as a required permission for app-frontend. App-frontend is also registered as known client application on app-api.

Now the behavior we would expect is that when a first time user requests a token for app-frontend, they are requested for consent and given a token after accepting. For any non-admin account this results in a 'Need admin approval' error though when testing with users from T2. When the required permission from app-frontend to app-api is removed, consent works fine for non-admin users.

I've gone through a number of answers on here to try and figure out why admin consent seems to be required here, but none of the suggested answers/reasons seem to apply in our case. To summarize:

  • The setting 'Users can register applications' is on in T2.
  • The setting 'Users can consent to apps accessing company data on their behalf' is on in T2.
  • User assignment is not required (for either app registration).
  • No other permissions are required by either app registration (so no application permissions are involved).
  • The problem appears for requests to both the v1 and v2 endpoints.

Most of these I would expect to also cause admin consent to be required when the only permission on app-frontend is User.Read, but the problem only appears when the required permission to the scope from app-api is present.

If any other info is required I would be happy to provide it, I've been stuck on figuring this out for quite a bit now.

Update: Screenshots of the app permissions set on both registrations.

Front end app registration: Front end app registration

Api app registration: Api app registration

3
Both 'app-frontend' and 'app-api' are multi-tenant apps in A tenant, 'app-frontend' app has permission to access app-api and this permission doesn't need admin consent, now you use a user from B tenant to access front end app and request permission to access app-api permission, am I right?Tony Ju
Yes, that's seems like a good summary. As part of the flow our app signs the user in by requesting an id_token for 'app-frontend' (normally through 'react-adal' package, but the same issue exists with manual calls to v1/v2 endpoints), and at that point admin consent is, unexpectedly, required.Tekking

3 Answers

0
votes

this is delegated consent, not admin consent. Please understand the various types of permissions at Delegated permissions, Application permissions, and effective permissions

0
votes

I didn't reproduce your issue on my side, see my steps as below.

1.create tonyFronEnd application and tonyBackend application in tenant A, both of them are multi-tenant application. Also, tonyFronEnd application has access to tonyBackend application. And File.Read doesn't need admin consent.

enter image description here

enter image description here

2.use user from tennatB to login in tonyFronEnd application

 https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=90ffbdb4-5b89-4bbc-9f90-d42b2419294c
&response_type=code
&redirect_uri=https://localhost:8080
&response_mode=query
&scope=openid api://08b3e812-2141-47af-a00a-75de13d3916d/Files.Read
&state=12345

Admin consent is not required.

enter image description here

update:(user consenet)

enter image description here

0
votes

I've found a solution for the problem in our case:

The cause of the admin consent in our situation turned out to be the fact that the publisher of the app registration was showing as unverified. It was linked to the domain of our Azure tenant (*.onmicrosoft.com), which is not valid as publisher domain.

Surprisingly this appears to have influenced whether admin consent is required or not in scenario. After changing and validating the app registration to another domain, the requirement for admin consent instantly disappeared.

Also of note: This does not seem to apply to older app registrations. We have several app registrations from the end of 2018, which used the same domain (*.onmicrosoft.com). These app registrations do not appear as unverified in the consent screen however and also do not require admin consent. I suspect app registrations from before a certain change have been grandfathered in to not require consent.