How to allow non-admin users to authenticate via OAuth2.0 for tenants where users are not allowed to consent apps on their behalf?

Question

We have an app that uses Office365 OAuth to register and authenticate users (via the allauth.social Django library).

The problem is, when the Microsoft/Azure tenant is configured to restrict non-admin users from "consent[ing] to apps accessing company data on their behalf", users are not able to register and login.

We have tried to grant admin consent either via https://login.microsoftonline.com/{tenant_name}/adminconsent and https://login.microsoftonline.com/{tenant_name}/oauth2/v2.0/authorize?prompt=admin_consent. And although our admin users are able to successfully register and grant the permissions (and also able to retrieve tokens that can be used to impersonate as any user in the tenant), individual users are still not able to register/login to our app, since they are not allowed to complete the OAuth flow. They are just met with the following page:

How do we allow non-admin users to login with OAuth when they are restricted from doing so?

P.S. we are using the Microsoft Graph API

Answer 1

It looks like you might still need to do admin consent for the app itself (the URLs you share in your question don't include the app ID). You can try doing admin consent for the app using a URL like this one: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&resource={1}&redirect_uri={2}&prompt=admin_consent where:

• {0} = your client ID
• {1} = the scope you want to grant permission to
• {2} = a redirect URI (note: for just forcing admin consent this technically doesn't have to exist because by the time we redirect to it the consent has already happened)

Once you've had an admin consent to the app itself, individual users should be able to log in without needing to go through any consent flows.