Is Admin consent always required in an Azure AD Multi tenant environment?
The environment is configured in a Multi-tenant way. 'AppName' is an App Registration within a common AD which was solely created to give access to users from different tenants to a single environment. For the sake of my description, call the multi-tenants AD1, AD2 and AD3.
This message is displayed when a user from one of these ADs (with no Admin privileges) logs in the first time.
AppName needs permission to access resources in your organization that only an admin can grant
Additionally in the application exception logging I can see the below error
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: "OpenIdConnectMessage.Error was not null, indicating an error. Error: 'access_denied'. Error_Description (may be empty): 'AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant.
The premise is that for a user from AD1 to successfully access the environment, an Admin user from AD1 has to first login and grant admin access. The "common AD" app registration is configured as following.
The Supported account types option in the App Registration is set as
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
The only API Permission is as shown in the image below. The status "Granted for ...." only refers to the "common AD" where the tenant ID resides - it does not grant Admin consent to any AD.
The technology being used in the code is ADAL.Net with OpenIDConnect. We are using the: https://login.microsoftonline.com/common (V1.0) endpoint.
In the snippet shown below, found within this url for the only API permission being set in our case.. 'Admin Consent Required' is set as 'No'.
And that is what put me off. Why is the message/error popping up? Is the Admin consent always required because this is a multi tenant scenario? Does this Admin consent, sort of, create the trust between the common AD and the multi-tenant ADs?
Yes. In case of multi-tenancy, admins are required to on-board their tenant. Only after the on-boarding process, users can sign-in. Also, the admin consent which is being shown in the screenshot is not related or dependent on type of tenancy, it is permission specific. App permissions and some delegated permissions require admin consent.
- Azure Service Plan - Convert Consumption App to Premium App
- No PK or FK when exporting SQL Server database
- Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect
- How to create a dataset for Azure custom speech using spx (speechCLI)
- Azure App Service Autoscale Fails to Scale In
- Azure Scale Out on Memory keeps flapping (not scaling in)
- Setting a server minimum for Azure Web App when using automatic scaling, from Bicep
- A keyvault created with access policy using BICEP creates compound identity
- Azure Loadbalancer with public IP forward traffic to Container Apps
- How to grant a Managed Identity permissions to an Azure SQL Database using IaC?
- What means skipNegotiation in SignalR HubConnection?
- Azure ClientCertificateCredential - Using SNI
- Azure AI Search MultiIndex / Conditional Semantic search
- MSAL Node service & The Partner Center API
- Load Registered Component in Azure ML for Pipeline using Python sdk v2
- Azure Blob:- How to automate Azure Archive Storage to Cool/Hot tier conversion, send download link once it's avaible , and re-archive after 72 hours?
- Azure App Service Custom Backup to Firewall Enabled Storage Account not working as expected
- How to take max value and replace it in drived column in data factory
- Synapse/ ADF - How to Truncate table if dynamic config column is True in pre-copy script
- Azure Cost Management - track costs associated with Databricks job
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday