Azure app incorrectly requesting admin consent?

Question

I'm hoping someone has some insight into an issue I'm having with a newly registered app within Microsoft's Azure Portal (portal.azure.com).

My issue on login when I get the following dialog

The error code and message appears in the lower right corner;

AADSTS90094: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

Configuration-wise, I believe I have this setup to not require admin consent, however there maybe something I'm missing.

My app is configured with;

Id Token, single tenant (web) application

Delegated, user consent permissions with no admin permissions

With the enterprise application, the configuration is set to;

• Enabled for users to sign-in: Yes
• User assignment required: Yes
• Visible to users: Yes
• 4 users have been added with the Default Access role
• Allow users to request access to this application: No (as they are assigned)

Last of all, within the azure directory itself under the Enterprise applications - User settings configuration I have set the company data user consent to Yes

When I navigate to either my application URL, or from the app within myapps.microsoft.com, both give me the above dialog requesting an admin consent.

I don't want to grant admin consent if not required, as it seems a bit like using a sledgehammer to solve the problem.

I feel like I'm either missing something big, or doing something silly - please help, and let me know if I can provide further information.

Edit 1.1:

My authentication request URL is: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<clientid>&redirect_uri=<redirecturi>&response_mode=form_post&response_type=code id_token&scope=openid email profile offline_access User.Read User.ReadBasic.All Mail.ReadWrite&state=OpenIdConnect.AuthenticationProperties=<gibberish>&nonce=<gibberish>&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0

(I'm using ASP.NET MVC combined with Microsoft's OpenId Connect authentication library)

Answer 1

When a user consents to an application which does not require assignment (in a tenant where user consent is allowed, and for an application requesting only permissions which do not require admin consent), two things happen:

1. Consent grants are recorded for the app, the user and the delegated permissions being requested.
2. The user is assigned to the app at a "default" app role.

The second step may seem surprising, but it serves a simple role: it ensures the user sees apps they've consented to in the Azure AD Access Panel (https://myapps.microsoft.com). (The Azure AD Access Panel will show a user all apps they are assigned to.)

It would defeat the purpose of the "user assignment is required" control if users could cause themselves to be assigned by triggering user consent. So, currently, when an application is set to require user assignment, users are simply not allowed to consent to the application.

Today, you have two options:

1. Ask an admin to grant tenant-wide consent for the application (e.g. Enterprise apps > Permissions > Grant admin consent, or App Registrations > API Permissions > Grant admin consent).
2. Configure the app to not require user assignment, and update the app's code to require the user be assigned to an app role by checking the "roles" claim.