Share via

Issue acquiring a token for custom web api

Alexander Gehling 1 Reputation point
2022-03-03T10:39:43.47+00:00

I am trying to authenticate with a custom web api using Microsoft Identity.

I am using the sample code from Microsoft (the 4.1 MyOrg sample) and have an app registration for both the client and the api. However, I keep getting an issue where the token can't be acquired and I am redirected to a login page where I am just told that the user can't be signed in as the application:

"AADSTS50105: Your administrator has configured the application REDACTED to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'REDACTED' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application."

However, a group of which I am a direct member is already in the list of groups/users with access.

When I am added to that list by e-mail, however, everything seems to work as expected and I am granted access to the API.

Is there any changes I might need to make for it to accept a group where I am a direct member as an access parameter?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Identity Manager

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2022-03-04T11:41:05.3+00:00

    Hi @Alexander Gehling ,

    Thanks for reaching out.

    From your query, I understood that you are getting error as user do not have granted to access the application.

    This can be because of the user/group has not been granted access to the application in Azure AD. The group you are member of need to assign to the application using Enterprise Applications.

    You need to have Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal role to assign access to the application.

    If you have the "Assignment required" box checked within your Enterprise application, then users must be assigned to the application before being able to access it.
    If this option is set to no, then any users who navigate to the application URL directly will be granted access.

    180086-image1.png

    From Enterprise Applications, select the application to which you want to assign the group you are member of.

    180125-image2.png

    Assign the group to which signed in user is member of. Note that nested groups are not supported, and the group must be directly assigned to the application.

    180126-image3.png

    Hope this will help to allow all the members of the group to access the application.

    Thanks,
    Shweta

    ----------------------------------------

    Please remember to "Accept Answer" if answer helped you.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.