Share via

Report-only conditional access blocking access to admin consent.

Noah 20 Reputation points
2023-10-17T23:50:30.9933333+00:00

We're developing a Typescript/React web application and a Typescript/Express api that uses the on-behalf-of flow to access data from Microsoft services and we're running into an issue when granting admin consent for the application (in another organization) using a url like this:
https://login.microsoftonline.com/{tenantId}/adminconsent?client_id={appClientId}&redirect_uri=http://localhost:3000/msal-redirect

If any conditional access policies are enabled (even in report-only mode) or if security defaults are enabled, we get this error url immediately before the redirect:

http://localhost:3000/msal-redirect?error=invalid_grant&error_description=AADSTS50097:+Device+authentication+is+required.%0D%0ATrace+ID:+{traceId}%0D%0ACorrelation+ID:+38d6c20a-e57c-4745-af4d-397bd537a09d%0D%0ATimestamp:+2023-10-17+18:38:40Z&error_uri=https://login.microsoftonline.com/error?code%3D50097&admin_consent=True&state=/tenants/{tenantId}?cloudInstance%3Dcommercial

We are trying to get this to be functional in two different scenarios:
a) We are an internal user (global admin) in an organization (different from the one which the app registration was created in)

b) We are an external user belonging to the tenant which the app and api registrations were created in and we are a global admin in another organization.

Scenario (b) has been more reliable thus far as we have also seen the "your organization lacks a service principal for x" error in scenario (a). Either way, we want a reliable way to grant admin consent even when conditional access policies are in place. Any help would be appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,200 questions
0 comments
Accepted answer
  1. Philippe Signoret (Microsoft) 406 Reputation points Microsoft Employee
    2023-10-18T11:05:49.1133333+00:00

    Please open a support case for this issue, as a report-only policy should not cause a sign-in (including a sign-in for admin consent) to fail entirely.

    In general, it's recommended that customers with conditional access policies requiring compliant devices in report-only to exclude MacOS, iOS, Android, and Linux from the policy. Still, not doing so should only cause an unexpected device certificate prompt, not a failed sign-in.

    Note that an active conditional access policy that applies to all apps will prevent a user from being able to grant consent if they can't meet the requirements of the policy—but that's of course expected.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.