Microsoft Graph: “Need admin approval” for non admin consent required scope “User.ReadBasic.All” during login

1
votes

I have the following setup:

AAD Directory A with an app registration. The app registration is marked as a Multi-Tenant app and has no permissions requested per default:

enter image description here

During login my webapp redirects to the Microsoft Login like this (nonce and redirect uri is removed):

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=05f0df69-2f61-4b41-91ff-31656787f9d3
&redirect_uri=https%3A%2F%2F....azurewebsites.net%2Fids%2Foidc-signin-office365auth
&response_type=code%20id_token&scope=openid%20profile%20email%20User.Read%20offline_access%20User.ReadBasic.All
&response_mode=form_post
&nonce=...

The scopes are:

  • openid
  • profile
  • email
  • User.Read
  • offline_access
  • User.ReadBasic.All

My test user is in AAD Directory B (and without any special setting that only admins can consent to an application). When I try to login to my application this is the result:

enter image description here

The scope "User.ReadBasic.All" doesn't require a Admin consent, but somehow when I remove this requested scope the user can just login to the application without any admin consent.

Question is: Why does the admin consent show up with the "User.ReadBasic.All" scope?

The target would be, that a "normal" user can login to our application without hasseling with a tenant wide approval from the administrators. Does the "require admin consent" differ for "Multitenant" applications?

3
azure-active-directorymicrosoft-graph-api
Azure Active Directory -> Enterprise applications -> User settings->Users can consent to apps accessing company data on their behalf If the option is set to No, the normal user will not have the permission to consent the app from another different tenant.Sruthi J
"Users can consent to apps accessing company data on their behalf" is set to "yes" "Users can consent to apps accessing company data for the groups they own" is set to "yes" Also both "Allow user consent for apps" are selected - so I'm really not sure why the "Admin approval" pops up with the "User.ReadBasic.All" scope :-/ Confusing: User.Read doesn't trigger the "Admin approval"Robert Muehsig

3 Answers

2
votes

Yes, as @Sruthi J said, when you select the Do not allow user consent tab in the Consent and permissions, all applications must require the administrator’s consent. Try to select the Allow user consent for apps tab to solve your problem.

1.Sign in to the Azure portal as a Global Administrator.

2.Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.

3.Under User consent for applications, select which consent setting you'd like to configure for all users.

4.Select Save to save your settings.

enter image description here

please see:here.

0
votes

In Multi-tenant scenarios

If this is the first time a user from another tenant is logging in, and your app requires permissions that need administrator consent, the first user who signs in must be an admin.

You should have some kind of onboarding flow in which you include prompt=admin_consent in the authorize URL as above. Though this time you would use common instead of a tenant id/domain:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=id&redirect_uri=https%3A%2F%2Flocalhost%3A44307%2F&prompt=admin_consent

Please refer to this document

0
votes

It is possible user consent is disallowed because of risk-based step-up consent.

You can confirm if this is the case by looking in the audit log (in "AAD Directory B"): Azure portal > Azure AD > Audit logs (under the "Monitoring" category).

When user consent is disallowed due to risk-based protection, a failed "Consent to application" event is emitted under the "ApplicationManagement" category, indicating it failed due to risk-based detections.