Users signing up to my entra external id application with email and password see a "need admin approval" prompt

Question

I'm working on a proof of concept to see if I can use Entra to allow customer users to sign-up and sign-in to my web application using an email address and password. I'm using a trial Azure account and I've created entra external id tenant for authentication. I've created a user flow to allow users to sign up and sign in with an email address and password and linked that to the application registration. There is a problem though. The user sees a "need admin approval" prompt : "needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it." 

I can see the new user account in the tenant. It obviously doesn't make sense for the user to login as an admin to approve it as the whole point is that they are an external user. 

I can see the sign-in failure in the sign in logs. Failure reason is ""Admin consent is required for the permissions requested by this application." Confusingly though the resource owner tenant id is f8cdef31-a31e-4b4a-93e4-5f571e91255a. I googled that guid and it turns out this is Microsoft's own Entra tenant used for their own services. So is the implication here that for some reason that tenant needs to give permission for the external user to login?

I'm using the https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial.git sample to test this if that helps. 

Thanks.

Gareth

Answer 1

You'll need to consent the required permissions on behalf of the users. If you logon to the test app as a global admin, you should be able to grant that.

In your link, it mentions that in the readme:

https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial/blob/main/1-Authentication/4-sign-in-device-code/README.md