Menu
I've created an application in https://apps.dev.microsoft.com (Platforms: Web)
This app needs the admin consent for certain permissions. I remember, in the past, accessing https://login.microsoftonline.com/{tenant name}/adminconsent?client_id={application id}&state={some state data}&redirect_uri={redirect uri} with an admin account in order to give permission to access resources in our organization that only an admin can grant. From there, users needed to give user-level consent in order to use the application.
Now, I can successfully login with an admin account and the app works as expected BUT I still get a prompt, for users, with the following message:
You can't access this application
APP NAME needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
Have an admin account? Sign in with that account
Return to the application without granting consent
The error message is: AADSTS90094: The grant requires admin permission. which doesn't seem to be documented anywhere..
If I click on the Have an admin account? Sign in with that account and sign in with an admin account, it works but trying again with a regular user account I get the above message again.
EDIT:
So I stripped permissions down to a bare minimum.
Scopes in my application are now: openid, profile, user.read
And Microsoft Graph Permissions are now, for Delegated Permissions: Mail.Send, User.Read. Nothing in Application Permissions and I STILL get the above message for regular users!
Anybody from Microsoft have some info on the AADSTS90094 error code?
312
Go to the app's API permissions page. Select Add a permission and then choose Microsoft Graph in the flyout. Select Delegated permissions. Use the search box to find and select the required permissions.
The Microsoft Graph has two categories of permissions: application permissions and delegated permissions. Application permissions allow an app to act as any user, while delegated permission allows only signed-in users of the application. All permissions requested by Decisions are delegated permissions.
You can consent to permissions in Graph Explorer by choosing either the Modify permissions tab or the Select permissions option in the settings gear next to your profile when you're signed in. The Modify permissions tab lists all the permissions that you need to run the query in the address bar.
If users are logging in with work or school accounts (Azure AD), you can just look inside the access token to see a list of permissions like User. Read or Files. ReadWrite.
OK, so I ended up contacting Microsoft support for this since, as of this date, there is no information on this error message.
To put it briefly, Microsoft has made some recent changes with regards to permissions. In the past, if your app required any of the openid, profile or offline_access, you could just place them in your app as scopes, they weren't available on https://apps.dev.microsoft.com. An admin would've given consent and your app would function properly.
What you should now do is mirror your app's scopes with the permissions you have on https://apps.dev.microsoft.com or else you'll keep on getting that error message so make sure you have the same thing on both sides now, especially if you're used to the old behavior.
Those three scopes/permissions (openid, profile and offline_access) can now be selected for your app on the dev portal.
110
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
