Geek Answers Handbook

Microsoft API - AADSTS90094: grant requires administrator permission

I created the application at https://apps.dev.microsoft.com (Platforms: Web)

This application requires administrator consent for certain permissions. I remember in the past access to https://login.microsoftonline.com/{tenant name}/adminconsent?client_id={application id}&state={some state data}&redirect_uri={redirect uri} with an administrator account to give permission to access resources in our organization, which can only be provided by the administrator. From there, users had to give consent at the user level to use the application.

Now I can successfully log in with the administrator account and the application works as expected, but I still get an invitation for users with the following message:

You can't access this application APP NAME needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

Have an admin account? Sign in with that account

Return to the application without granting consent

Error message: AADSTS90094: The grant requires admin permission. which is not documented anywhere.

Should I click on Have an admin account? Sign in with that account Have an admin account? Sign in with that account and log in with an administrator account, it works, but tries again with a regular user account. I get the above message again.

enter image description here

EDIT: So I split permissions to a minimum. Areas in my application now: openid , profile , user.read Now permissions for Microsoft Graph are allowed for delegated permissions: Mail.Send , user.read . Nothing in application permissions, and I STILL get the above message for regular users! Does any of Microsoft have some information about the error code AADSTS90094?

+7
php azure office365 azure-active-directory microsoft-graph
source share
3 answers

OK, so I contacted Microsoft support for this, since from this date there is no information about this error message.

In short, Microsoft has made some changes regarding permissions. Previously, if your application needed any of openid , profile or offline_access , you could simply place them in your application as areas, they were not available at https://apps.dev.microsoft.com . An administrator would consent, and your application would function properly.

Now you must mirror the application areas with the permissions specified at https://apps.dev.microsoft.com , otherwise you will receive this error message, so make sure you have the same thing on both now, especially if you are used to old behavior.

These three areas / permissions ( openid , profile and offline_access ) can now be selected for your application on the dev portal.

+1
source share

The administrator consent endpoint does not help in the dynamic scope and dynamic consent scenario.

Using the administrator’s consent endpoint will grant permissions registered on the application registration portal. You can find the "Microsoft Graph Permissions" section, and then add the permissions your application needs. After obtaining administrator consent using the administrator consent endpoint, your application can collect permissions for all users in the tenant, including areas restricted by the administrator.

0
source share

I use MSAL and endpoint 2.0 (login.microsoft ...), I am developing a Multi-Tenant application.

My organization has 2 tenants

One of them is essentially our instance of Dev (and I have global administrator rights). I registered my application with Tenant , in which I do not have administrator rights, and performed the “Consent to consent” for the specified application in the Tenant, where I can execute this Consent myself. My users can successfully log in and get consent for the resources they need.

However, when I created the application registration (all converged applications on apps.dev.mic ) from an account where I have global administrator rights, the login for my users receives an AADSTS90094 Error .

The only way I came to "solve" this error,

At the initial entrance to the application, the area will be openid , then the user agrees to this, when this is completed, I have to make another login with the scope defined for the application, and everything works. UX is obviously the least free.

-one
source share

More articles:


All Articles