Back to App button not working after getting request approved from Admin

Vineet Kumar 11

We have made settings in azure portal to not allow Users to give Consent to apps accessing company data on their behalf (but through Admin only). So, if a User wants to give consent, a request is sent to Admin for approval.

The issue is that when Admin approves the request and User clicks "Back to App" button, he gets error that User declined to consent the app. Microsoft post below error code to our Redirect API:

https://<Redirect_API_URL>?error=access_denied&error_subcode=cancel&state=<application_base url>&
error_description=AADSTS65004%3a+User+declined+to+consent+to+access+the+app.

It seems like "Back to App" button is behaving like "Cancel" button.

3 answers

Mason Stricklin 6 Reputation points

2020-09-15T01:43:51.967+00:00

I am also encountering the "Back to App" issue. Not sure how to handle this. I don't want to overwrite the AADSTS65004 error message, because a user can hit this error and have it be the correct error.

I am considering displaying the AADSTS65004 error message alongside another message that says "admin authorization required." However, this isn't ideal. I would be displaying 2 error messages where only 1 is correct.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-05-05T11:58:49.777+00:00

@Vineet Kumar , You are correct. I did test the same and I do see the same error.Probable cause for this is when you are hitting the "Back To App" the user still doesnt have a valid token with proper consented permissions in it to access the app and hence AAD is still denying the access with that error. But after the Global Admin have given its consent, the user can use another tab in that same browser window and access the app, and he should be able to reach the app as that new request would have the new token/code issued to the user after verifying the permissions and consents on those permission from the request the user has shared.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.
Please sign in to rate this answer.
Vineet Kumar 11 Reputation points

2020-05-05T12:23:00.533+00:00

Thanks a lot @soumi-MSFT for you reply

The problem is that even if I click "Back To App" button after a long time after Admin approves my request, it always gives this same error.

Also, everytime I opens Auth flow to give consent to Third party app, it always asks me to get approval from Admin, even if I had already got approval before (many times) though email.

Do you know any application/example where this flow works fine?
It would be very helpful.

Thanks!

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-05-05T12:35:27.993+00:00

@Vineet Kumar , Surely I can take a look into this and get you some more details. Also I would like to share that, it really doesnt matter if you wait for long time also and then press that "Back To App" button. As pressing that "Back To App" should ideally created another fresh request to AAD which it doesnt. I have debugged this button press and found that it is not making any fresh call, hence AAD never gets a fresh request.

Now this can be a problem which I would have to work with the backend team to check and see there things are missing in that button's code.

Do allow me sometime, and I will get back to you on this with some more updates.

Vineet Kumar 11 Reputation points

2020-05-07T13:29:30.147+00:00

@soumi-MSFT any update on it?

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-05-07T16:19:55.36+00:00

VineetKumar-9858, I apologize for the delay, I did reach out to the backend team on this. We are still working on this. I should be in a position to share some updates with you my Monday, 11th of May 2020.

Once again I would like to apologize for the delay.

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-05-07T16:33:12.777+00:00

@VineerKumar-9858, In the mean time, can you please share a screenshot of the actual error that you see on the screen. The error that you had shared earlier is something that I also got but on the address bar of the browser and this is the error I got on the browser after pressing the "Back To App" button:

For me I believe this error comes up as there is no application listening on http://localhost:1234. But in your case I would like to understand what is the actual error you seeing.

Vineet Kumar 11 Reputation points

2020-05-08T06:18:06.43+00:00

Thanks @soumi-MSFT for update

PFA the error screenshot.

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-05-11T12:08:06.067+00:00

@Vineet Kumar , I have raised an internal request and still waiting for a response. I will keep you updated as soon as I hear back.

Vineet Kumar 11 Reputation points

2020-05-11T13:11:13.127+00:00

Thanks @soumi-MSFT

Vineet Kumar 11 Reputation points

2020-05-13T05:10:09.477+00:00

@soumi-MSFT did you get any update on this as our customers are facing this issue and are blocked.

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-05-13T16:07:54.857+00:00

@Vineet Kumar , I apologize for the delay in my response. I just dropped off from a discussion with the the product team on this issue. As a response they mentioned it works, but then since in this case it is failing they are investigating around this in the backend.

Do allow me some more time as they also requested the same as they are working on this. We do not have an ETA as of now, but can assure you this is being worked upon. Also as a workaround, I would suggest you to refrain from using that button, instead, you can open another Tab on the same browser session and try to access the application once again after the Global Admin has approved the justification for the consents.
Sign in to comment
Luis Leon - MSFT 6 Reputation points Microsoft Employee

2020-05-14T15:41:57.167+00:00

@Vineet Kumar , thanks for the feedback around the "Back to App" button. This is the first time we see the feedback, so we're going to monitor and see if this is a common problem for customers. If you want to check the behavior, you can try to consent to https://developer.microsoft.com/en-us/graph/graph-explorer.

As @soumi-MSFT mentioned, the end-user isn't expected to wait on that screen until the Admin provides the admin consent. They are expected to leave and come back once their request has been approved.

Regarding the problem you mentioned where even if you grant admin consent, the end-user gets getting prompted for consent. This may be because in the sign in request, you continue asking for consent even when the Admin has already granted consent. You have this query in the URL: prompt=consent

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
Please sign in to rate this answer.
Vineet Kumar 11 Reputation points

2020-05-18T10:03:47.773+00:00

Thanks @Luis Leon - MSFT for your reply.
Actually our customers can have different settings at their Azure AD for managing consents to third party applications.
Some customers can let their all users to give consent but some might restrict it and allow only Admins to give consent (the flow for which this question was asked).
If we remove "prompt=consent" from request url (as you mentioned), it will not work fine for customers who allow all users to give consent as it will not show consent screen for user where he can give their consent to our application.
Also in second case, where customers allow only Admins to give consent, it would be difficult to append "prompt=consent" if consent is required and remove if consent is already provided by admin.

Vineet Kumar 11 Reputation points

2020-05-21T06:06:26.76+00:00

@Luis Leon - MSFT @soumi-MSFT any update?

Luis Leon - MSFT 6 Reputation points Microsoft Employee

2020-05-21T20:23:49.07+00:00

@Vineet Kumar you should be able to identity if the prompt=consent is neccesary or not for the 2 scenarios you mention. Please refer to this document where you can see how you can accomplish that: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#using-permissions

Vineet Kumar 11 Reputation points

2020-05-22T06:23:59.55+00:00

Thanks @Luis Leon - MSFT
I got your point. We will use ./default scope now as it will fix our problem.
I have one question:
Currently we are serving 2 Auth flows (having different scopes/permissions we ask user's consent for) with single app registration on azure portal. App registration has complete scopes, but we take consent for only a set of scopes (not all) based on use case.
But now with /.default scope coming in to picture, do we have to create different app registrations for different use cases (different set of scopes)?

Also, what about the error we get on "Back to App" button click?

Vineet Kumar 11 Reputation points

2020-05-29T05:41:02.927+00:00

@Luis Leon - MSFT Could you please reply on my above question?

Luis Leon - MSFT 6 Reputation points Microsoft Employee

2020-06-12T01:02:21.743+00:00

@VineetKumar-9858, The 2 auth flows are required because depending on the user role you will provide access to different parts of your application?

For that, you can use dynamic scopes. You don't need to create multiple apps. But, then you won't be able to use ./default. You will have to check the permissions you receive in the access token to validate that you have all the permissions to call the APIs. (https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens).

I was doing more internal research about your scenario and I found this thread from my colleague Philippe around why you shouldn't use prompt=consent and in what scenarios this is valid: https://stackoverflow.com/questions/60111863/azure-active-directory-needs-admin-approval-after-setting-prompt-consent

Let me know if that answer your questions.

Vineet Kumar 11 Reputation points

2020-07-06T07:51:34.677+00:00

Thanks a lot @luleon for clarifying things.
When can we expect the fix for error on clicking Back to app button?
Sign in to comment