Multi-tenant app with delegated permissions that shouldn't require admin consent are still requesting consent. Why?

Calcul8or 6 Reputation points
2020-11-05T05:07:52.483+00:00

I've created an app and registered it on Azure AD as a multi-tenant app, and granted the following delegated permissions that do no require admin consent:

  • Calendars.ReadWrite
  • offline_access
  • openid
  • profile
  • User.Read
  • User.ReadWrite

I've also created sample users in Office 365 Developer, and am using one of those users to test my app's integration with Outlook. Each time the user tries to connect with Outlook via my app, the following message is displayed with no means to move forward. The only option they have is to return to my app without granting permissions, which is completely useless as far as this integration is concerned.

37537-admin-consent.png

Why is this happening? The user doesn't need admin approval for any of the (delegated) permissions listed above, which may mean that there is something wrong in the way I have set up my app in Azure AD.

I have also set "users can request admin consent to apps they are unable to consent to" to "yes" in Enterprise Apps > User Settings > Admin consent requests (Preview).

Any urgent assistance with this will be highly appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,796 questions
{count} votes

2 answers

Sort by: Most helpful
  1. soumi-MSFT 11,781 Reputation points Microsoft Employee
    2020-11-05T06:38:04.257+00:00

    Hello @Calcu80r-4819, thank you for reaching out. This issue comes up because of something called illicit consents.
    I just posted an answer on this following thread: https://learn.microsoft.com/en-us/answers/questions/132547/successfull-admin-consent-but-user-is-blocked-sett.html?childToView=152195#answer-152195

    This issue happens because of something called Risk-based Step-up consent.

    Risk-based step-up consent helps reduce user exposure to malicious apps making illicit consent requests. If Microsoft detects a risky end-user consent request, the request will require a "step-up" to admin consent instead. This capability is enabled by default, but it will only result in a behavior change when end-user consent is enabled.
    When a risky consent request is detected, the consent prompt will display a message indicating that admin approval is needed.

    So
    it is expected that this will happen to some apps, if they meet our criteria. This is documented as one of the "unexpected consent errors" here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error#requesting-not-authorized-permissions-error

    AADSTS90093: <clientAppDisplayName> is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf.
    AADSTS90094: <clientAppDisplayName> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

    That said if this is a valid, non-malicious app we do want to make sure the developer is not blocked on this going forward

    In order to get them unblocked immediately, the consent request can be sent to an admin for review and potential approval

    References: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide

    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error#requesting-not-authorized-permissions-error

    I am looking for some more insights on this and I will keep you posted with the next set of details. For now, you can try two things:

    1. Try to make the app verified, by adding a verified domain to your tenant
    2. Try enabling the option:

    37577-adminconsent.png

    But before trying those options mentioned above, since I am not sure of the actual error message in your case, I would also like you to try the following option:
    37557-consentpermissions.png

    You can find these settings under "Home > {Tenant-Name} > Enterprise Applications > Consents and Permissions" and select the option as mentioned in the screenshot above.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments No comments

  2. Calcul8or 6 Reputation points
    2020-11-05T06:50:22.297+00:00

    Hi @soumi-MSFT ,

    Thanks for getting back to me. The only thing I may not have done in the recommendations you've given, is add a verified domain. I'm not really sure how to do that, but I'll consult the documentation and hopefully find out.

    I will try that and let you know what happens.

    Thanks!


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.