Azure Entra ID Authentication Requiring Admin Consent
I have a web app service for which I am trying to configure Azure Entra ID authentication. The issue I'm having is I am able to log in, but other users are not. They continually receive "Admin consent is required for the permissions requested by this application. An admin consent request may be sent to the admin." However, none of the permissions set require admin consent.
I have the ability to create application registrations in Entra ID, and I've recreated the app registration several times. However, I do not have specific permissions to change the enterprise app settings.
These first screenshots are of the app registration authentication settings.
Next are the assigned API permissions
That is it as far as the app registration is concerned.
As for the authentication settings for the app service, they are shown here
I've searched and read through a number of similar questions here on SO, such as Azure AD admin consent required when it shouldn't and Azure AD authentication access without admin consent to application. The answers to these questions do not help. As you can see, I don't have permission/authorization to provide admin consent for the organization.
The same is true for the enterprise application. All settings are disabled for the application in the Self-Service blade.
And I do not have any permissions that require admin consent.
In adding the app registration, I've followed Configure your App Service or Azure Functions app to use Microsoft Entra sign-in as well as Quickstart: Register an application with the Microsoft identity platform.
Is there a way to solve this, or do I have to go back to my Entra admins and ask them to change something?
Created a Microsoft Entra ID application and added API permissions like below:
Created Web app added authentication as Microsoft, selected the above Microsoft Entra application:
For sample, I used the below endpoint to authorize the users:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://rukweb.azurewebsites.net/.auth/login/aad/callback
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
Got the same error as below:
The error usually occurs if the API permissions granted to the Microsoft Entra ID is not granted admin consent or the user consent is not enabled in the tenant.
In your scenario, as you do not want to grant the admin consent, you can contact the Global Admin to set the changes in Enterprise applications blade like below:
Go to Azure Portal -> Enterprise application -> Consent and permissions -> User consent settings -> Enable the option Allow user consent for apps -> Save
Otherwise, you can enable "Allow user consent for apps from verified publishers, for selected permissions option":
And for the above option to work, you need to add user.read API permission in the permission classifications blade:
Now I am able to sign in successfully like below:
- Invalid operands found for operator -eq
- Adding custom headers to Azure Functions response
- Azure Queue Trigger is hit but not executing the logic inside of it
- az cli not showing redisenterprise keys
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- Azure Devops Server Pipelines: Any way to have a Stage result as "Succeeded" even if a constituent Job reported "SucceededWithIssues"?
- YAML strings including special characters % and & were not printed correctly for Windows environment
- Azure function returns error: No job functions found. Try making your job classes and methods public
- How to view Oldest Query results in Azure Monitor Metrics for an Azure PostgreSQL Flex Server instance
- Authenticate to Azure with certificate from Linux
- What are the minimum Azure permissions required to publish a Power BI report using "App Owns the Data"?
- Refresh an Azure search index
- Best way to clean up resources in StatefulService
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- Query Azure SQL Database using Rest-API
- How to create a feature burndown chart in Azure DevOps?
- Why is this "call is ambiguous between the following methods or properties" when calling ValidateOnStart?
- How to write a Bicep API Connection formrecognizer with api key
- Where can I find docker container logs for Azure App Service
- will looping GetBlobsAsync() but doing nothing in the loop body read the contents of the blob
- Connect to OneDrive using Python (msal) and client secret
- How to debug ServiceBus-triggered Azure Function locally?
- Does Azure Cognitive Services support (detect and compare) Handwritten Signatures and Stamps from two images?
- Modify ARM-Template for quick deployment
- Does anyone have implemented auxiliary logs deployment in sentinel?
- Get request headers in azure functions NodeJs Http Trigger
- Filter specific items that are alone in an array of Collection String in Azure Search
- Trouble obtaining access token for managed identity with application role
- Azure Autoscaling Duration Time and Cool Down Time
- Partition Key for Cosmos DB