Does microsoft graph scope require admin consent for delegated permissions

WMio Connectors 121 Reputation points
2020-03-11T09:19:44.903+00:00

I created OAuth app and selected delegated permissions of Microsoft graph which doesn't have admin consent required. But when i try to authorize with some other tenant user, it is prompting message as "Your needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it". How can i overcome without going to admin as I not selected admin consent required scope

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,466 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-03-24T10:40:43.16+00:00

    @WMio Connectors , The following Admin consent page is coming up because of the following option set to "No" [Please refer to the screenshot]
    5651-entapp.png

    If this option is set to "No" normal users wont be able to provide user consent. If you want to go ahead with this option set to "No" and still want to Multitenant App to work, the only other option is to use the "Admin Consent Requests (Preview)" and set that to "Yes". Doing this, the normal user while accessing the app and entering the username and password, he/she would get the consent page and would ask the user to provide a justification for the Admin to approve. Once the admin approves it, the user would be able to access the app, and in the backend the app's service principal would get added to the user's tenant.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments

16 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. WMio Connectors 121 Reputation points
    2020-03-24T10:46:21.873+00:00

    @soumi-MSFT . This is a helpful one and able to find the way how to create the multi-tenant app and how to control permissions via admin. Thanks :)

    0 comments
  2. Eric Wyler 1 Reputation point
    2020-04-18T14:29:21.723+00:00

    @soumi-MSFT I've been struggling with the same issues reported here - however, I've checked the setting around users allowing consent as in the answer screenshot in the target tenant and it is set to "yes".

    I've run through both the python and node tutorials for getting oauth access, have validated the domain for the app (in case the request was being deemed illicit and thus admin consent was being required despite just asking for delegated permissions), and have also tried authorizing other apps (which work, and bring me to a consent screen allowing me as a user to consent for delegated permissions) and taken that URL and replaced the client ID with mine, but then it fails.

    It seems there's something wrong with my app registration setup given the client ID substitution failure above, but I've followed multiple tutorials for setting up a multi-tenant app to the same result. Again, the setting you reference above is set to "yes" in the target tenant.

    Is there something else that could be causing this?

  3. Flemming 1 Reputation point
    2020-04-20T20:31:02.543+00:00

    @soumi-MSFT
    I have the exact same problem as described here.

    If you have managed to solve the issue for those who have asked, will you post the solution here or link to it. Would be a great help.

    The challenge is that even when an application only requests simple permissions that do not require admin consent, admin consent seems to be required, at least outside the applications own AD zone.

    I have made sure that my test accounts have the ability to grant consent, but no luck.

    Thank you so much in advance.

  4. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-04-21T15:51:20.65+00:00

    @Eric Wyler ,

    This issue happens because of something called Risk-based Step-up consent.

    Risk-based step-up consent helps reduce user exposure to malicious apps making illicit consent requests. If Microsoft detects a risky end-user consent request, the request will require a "step-up" to admin consent instead. This capability is enabled by default, but it will only result in a behavior change when end-user consent is enabled.
    When a risky consent request is detected, the consent prompt will display a message indicating that admin approval is needed.

    7621-consent.png

    So it is expected that this will happen to some apps, if they meet our criteria. This is documented as one of the "unexpected consent errors" here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error#requesting-not-authorized-permissions-error

    • AADSTS90093: <clientAppDisplayName> is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf.
    • AADSTS90094: <clientAppDisplayName> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

    Mitigation Step:
    In order to get them unblocked immediately, the consent request can be sent to an admin for review and potential approval.

    7614-consent.png

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments