Why doesn't an Application Owner have permission to land on Single-Sign on page?

Akshay K V 1 Reputation point
2020-04-07T17:16:34.683+00:00

I'm an Owner to the application registered in Azure AD. I get "No Access"; error when I try to configure SSO.

7231-screenshot-from-2020-04-07-22-40-55.png

What I also find strange is that, when I try to open the Single-sign on page it hits the below URL and I get the response as follows.

Why does Azure have to check my permissions for Application Proxy when I'm trying to open SSO page?

URL: https://main.iam.ad.ext.azure.com/api/ApplicationProxy/Applications/318ca569-e1fe-400d-bfa5-c7dd43a00d11
Response: {"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"Graph call failed with httpCode=Forbidden, errorCode=NotAdminRoleNoEnoughCustomPermission_UnauthorizedAccess, errorMessage=Unauthorized Access., reason=Forbidden, correlationId = e125bfa1-5615-4617-9ea2-9f45fba5300e.","Data":{},"HResult":-2146233088,"XMsServerRequestId":null,"Source":null,"HttpStatusCode":403,"ClientData":{"errorCode":"Forbidden","localizedErrorDetails":null,"operationResults":null,"timeStampUtc":"2020-04-07T17:09:53.686276Z","clientRequestId":"e125bfa1-5615-4617-9ea2-9f45fba5300e","internalTransactionId":"6bc02fe1-15c7-499d-b45c-36b4d6e84f46","tenantId":"5d471751-9675-428d-917b-70f44f9630b0","userObjectId":"ac5f9f20-b9f4-4ea9-8439-5e96798793aa","exceptionType":"MsGraphException"}}

7221-screenshot-from-2020-04-07-22-40-42.png

7165-screenshot-from-2020-04-07-22-40-29.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,799 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anuj Rana 221 Reputation points
    2020-04-07T20:32:29.267+00:00

    If i understood this correctly , when you login to portal.azure.com , you are no longer able to access Azure AD blade which contains Applications. If this is correct, then it means that ur Global admin has restricted access to Azure AD to admin users only. Owners of app doesn’t qualify for required privileges. You will need application admin role to manage ur app on portal. Alternatively you can try to manage applications (upto an extent ) using PowerShell.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.