Azure AD App Registration: "AADSTS90094: The grant requires admin permission" error for permission that has "REQUIRES ADMIN" set to "No"

Question

I am setting up an App Registration in the Azure AD portal to be used with my sample ASP.Net Core 2 web app. For starters, I want to get basic authentication working. I am configuring this app to enable only one permission, "Sign in and read user profile", note that it does not require admin permission:

However, when I run my web app and attempt to authenticate against this client ID, I get the "AADSTS90094: The grant requires admin permission" error:

You can't access this application

AspNetCoreAdAuth needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

This is the URL that my app uses to authenticate (with some sensitive or irrelevant data removed):

https://login.microsoftonline.com/<my_tenant_id>/oauth2/authorize?client_id=<my_client_id>&redirect_uri=<my_redirect_uri>&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=<gibberish>&state=<giberrish>&x-client-SKU=ID_NET&x-client-ver=2.1.4.0

Majority of solutions on SO and elsewhere propose to simply use the "Grant Permissions" button to get past this error. However

• As a developer I don't have admin rights
• Asking an admin to grant this permission for everyone seems like a sledgehammer approach
• I'd like to understand why this is happening or what am I doing wrong that causes this to not work the way it seems it should work

Any ideas?

Answer 1

One possible reason is that your organisation administrator has disabled the Users can consent to apps accessing company data on their behalf setting.

You can find it under User settings: