Share via

Trouble exposing an API as per MS Github Tutorial

Siegfried Heintze 1,906 Reputation points
2021-03-09T16:35:27.267+00:00

I'm following the instructions at ms-identity-javascript-angular-spa-aspnetcore-webapi (step 8) where it says to select Add a scope. Here is the screen shot from the github web page:

75991-image.png

  1. Step one is fine: I add "access_as_user" for the scope name.
  2. Trouble! where do I specify Admins and users options for Who can consent? I can find no place to data enter this!
  3. When I add the new scope, the Who can consent shows up as "Admins only" and the directions say "admins and users". 75849-image.png
  4. After I add the new scope, how do I edit the Who can consent field? I can find no way to edit this field after I have added it.

75850-image.png

I just noticed that these active-directory-b2c-javascript-nodejs-webapi directions do not require me to set the "Who Can Consent" field... I wonder if the above directions are out of date?

Wed Mar 10 2020 Afternoon update:

I think there has been a change in portal.azure.com. When I set up the app registration for 4-2-B2C last summer I don't remember having this problem and I could add scopes for user consent. I just added a new permission to this same registration and I have the same problem: admin only.

Previously, I had admins and users for all my scope and today I tried to add a new scope "delete" and it shows up as "Admins only".

76502-image.png

So I took a look at configure-user-consent and changed the settings to allow user consent for apps ("All users can consent for any app to access the organizations data") but this did not help.

76521-image.png

How do I restore the old behavior so users can have consent?

Thu Mar 11 2021 Morning Update:
Oops, I guess I missed a step in the instructions yesterday. I see the instructions say AAD and not AADB2C. (A note at ms-identity-javascript-angular-spa-aspnetcore-webapi warning users to not confused AAD with AADB2C would be nice).

  1. I go to portal.azure.com, switch to my tenant directory and this time I click on the "Azure Active Directory" icon instead of the "Azure AD B2C" and click on App Registrations. I see all my applications are there that I created in AADB2C. OK. I click on the TodoListAPI registration I created for this sample.
  2. I remove my old scope and try to add a scope according to the instructions and I have the exact same problem: there is no opportunity to select a different value for "Who can consent". After adding, I see the same: "Admin only" for the "Who can consent" column.
  3. Please explain what this "Who can consent" value means... I suspect it means external (github, facebook or google self serve signup) users won't be able to call the the function with that scope...
  4. Also, consider my existing working sample: active-directory-aspnetcore-webapp-openidconnect-v2. The instructions say to use an Azure AD B2C tenant and I previously (last summer) added the demo.read and demo.write scopes (tutorial-web-api-dotnet and these show up with the "user consent" as "admin and users". As an experiment yesterday, I tried to add demo.delete and it too shows up as "Admins only" what does this mean? Today I try again with AAD instead of AADB2C and I get the exact same behavior: "Admins only" and no opportunity to to edit the field.

Thanks

Siegfried

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2021-03-12T12:03:36.27+00:00

    Please find my inline answers. Hope this helps.

    1) I go to portal.azure.com, switch to my tenant directory and this time I click on the "Azure Active Directory" icon instead of the "Azure AD B2C" and click on App Registrations. I see all my applications are there that I created in AADB2C. OK. I click on the TodoListAPI registration I created for this sample.

    2) I remove my old scope and try to add a scope according to the instructions and I have the exact same problem: there is no opportunity to select a different value for "Who can consent". After adding, I see the same: "Admin only" for the "Who can consent" column.

    Answer:

    This seems to be you are still with AAD B2C directory, reason because when you go AAD blade you should not see Apps that were created from B2C blade . The easier way to verify this one is to, Go to Apps registrations -> click on Endpoint , If you see page similar to below whereas endpoint name start with "Azure AD B2C" which indicate you are on Azure AD B2C directory not on regular AAD tenant.

    77193-image.png

    If you have access to more than one AAD tenant then try using "Switch Directory" option and switch to AAD tenant which doesn't have B2C association. In case If you don't already have an Azure AD tenant or if you want to create a new one, see Create a new tenant in Azure AD. Or use the directory creation experience in the Azure portal.

    77185-image.png

    3) Please explain what this "Who can consent" value means... I suspect it means external (github, facebook or google self serve signup) users won't be able to call the the function with that scope...

    Answer:

    "Who can consent" field used to select whether given scope can be consented by users or if admin consent is required. You only get to select "Who can consent" as either "Admins and users" or "Admins only" for applications those are registered in regular AAD directory not B2C Directory as shown below.

    with B2C tenant, you can only use "Admin consent" not "user consent" because its not supported. That's the reason you see the "Admin only" for the "Who can consent" column by default.

    To learn more, read "Azure Active Directory consent framework"

    Regular AAD:
    77222-image.png

    AADB2C Directory:
    77195-image.png

    4) Also, consider my existing working sample: active-directory-aspnetcore-webapp-openidconnect-v2. The instructions say to use an Azure AD B2C tenant and I previously (last summer) added the demo.read and demo.write scopes (tutorial-web-api-dotnet and these show up with the "user consent" as "admin and users". As an experiment yesterday, I tried to add demo.delete and it too shows up as "Admins only" what does this mean? Today I try again with AAD instead of AADB2C and I get the exact same behavior: "Admins only" and no opportunity to to edit the field.

    Answer:

    As mentioned above , if you try from regular AAD tenant then you would get option to select between admin and user consent.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2021-03-11T10:21:35.01+00:00

    Hello @Siegfried Heintze ,

    Thanks for reaching out and sharing detailed information.

    This is an expected behavior when you try with B2C tenant, because these instructions at ms-identity-javascript-angular-spa-aspnetcore-webapi meant for regular AAD (Azure Active Directory) not for B2C AAD (Azure Active Directory).

    Could you try to perform with AAD (Azure Active Directory) Tenant. Hope this helps.

    Regards,
    Siva Kumar Selvaraj
    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.