Search code examples
.netazureazure-active-directoryazure-ad-msal

Authenticate in Azure AD silently from a domain joined machine

In our environment Windows machines are domain joined, and Azure AD Connect Sync is used to connect the domain to Azure AD. My goal to authenticate in Azure using the context of the currently logged in user.

As I understand, I need to use Integrated Windows authentication (IWA) among the available methods.

Allows applications on domain or Azure Active Directory (Azure AD) joined computers to acquire a token silently (without any UI interaction from the user).

The description looks great. I am trying to use this example. I created an app registration as per the instructions, the only thing that I failed to do is Step 2:(Optional) / Register the client app / item 6:

At this stage permissions are assigned correctly but the client app does not allow interaction. Therefore no consent can be presented via a UI and accepted to use the service app. Click the Grant/revoke admin consent for {tenant} button, and then select Yes when you are asked if you want to grant consent for the requested permissions for all account in the tenant.

First of all, I do not understand what it is saying. How is that it does not allow interaction? What interaction?

Secondly, the value of "Admin consent required" is "No":

enter image description here

I am not a tenant admin, but I assume "Grant admin consent for ..." button is greyed because there is nothing to grant (it turns active once I add something).

Nevertheless I copied TenantId and app ClientId into the example and tried to run it. It is failing with the following error:

AADSTS65001: The user or administrator has not consented to use the application with ID 'b5e9bd68-5326-44ff-9fc6-c933227708ff' named 'foo-bar'. Send an interactive authorization request for this user and resource. Trace ID: 77c69007-80cb-4eb2-b60b-f029928c5f00 Correlation ID: 63be7460-11e6-49b2-88b9-a3b56025ee43 Timestamp: 2022-06-27 23:08:08Z

Again, what an interactive request? Isn't the purpose of this example to illustrate how I can authenticate silently and transparently for the user, without any interaction?

Please help me to find missing pieces.

Solution

  • IWA is a silent flow that doesn't need user interaction, you must grant consent to all users in the tenant to use the application.

    To perform the above action, you must have the tenant admin role as mentioned in the MsDoc.

    When that role is enabled, make sure to Grant Admin Consent like below after adding the required API permissions.

    enter image description here

    You can also make use of below admin consent endpoint that will give consent form like below:

    https://login.microsoftonline.com/{your_tenant_id}/v2.0/adminconsent?
&client_id=Your_client_id
&state=12345
&redirect_uri=Your_redirect_uri
&scope= https://graph.microsoft.com/.default

    enter image description here

    After accepting the above consent, you can get rid of "The user or administrator has not consented to use the application" error.