SSO integration using MSAL asks for permission

Narayan, Sachindra 46 Reputation points
2020-05-31T07:02:43.177+00:00

I have been trying to use MSAL module using python for SSO integration. The landing page says
<THE_APP_NAME> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

What permission does this registration needs? The team says the application has required access for User.Read for Microsoft Graph API.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,492 questions
0 comments No comments
{count} votes

Accepted answer
  1. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2020-06-01T05:59:37.877+00:00

    @Narayan, Sachindra , If you have provided delegated permissions (like User.Read) which doesnt not require admin consent, but while the user tries to login, it still asks the user to login with an admin account, as this is expected that this will happen to some apps, if they meet the criteria. This is documented as one of the "unexpected consent errors" here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error#requesting-not-authorized-permissions-error.

    AADSTS90093: <clientAppDisplayName> is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf.

    AADSTS90094: <clientAppDisplayName> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

    We termed those permissions as illicit permissions and if the control in the backend identifies any of those permissions which looks illicit, it would ask the user to get an admin consent to the delegated permissions too.

    That said, if this is a valid, non-malicious app we do want to make sure the developer is not blocked on this going forward. In order to get them unblocked immediately, the consent request can be sent to an admin for review and potential approval.

    In this case, an audit event will also be logged with a Category of "ApplicationManagement", Activity Type of "Consent to application" and Status Reason of "Risky application detected". ​ We have a bug right now where the Status Reason shows up as long value, but its very obvious that it correlates to this specific behavior

    the current status reason will be "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException"

    This is a default behavior now for OAuth Apps seeking User Consent based on the update pushed for all the tenants as a part of the security measure.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Jai Verma 461 Reputation points
    2020-05-31T10:55:36.48+00:00

    It looks like admin consent has not given to application. Could you ask the aad admin to verify if the admin consent to the permissions has been given, as shown here - https://learn.microsoft.com/en-us/azure/active-directory/develop/consent-framework

    1 person found this answer helpful.
    0 comments No comments