servicetuta.blogg.se

The admin consent prompt looks slightly different to a regular consent prompt as it highlights that consent is going to be assigned for the entire organisationĪs this is a one-off operation, a global administrator can either navigate to the url in the browser, or the application can have a separate button that would launch the url so that the admin can consent.

In other words, the admin consent url is exactly the same as the authorization url, except it has “&prompt=admin_consent” appended to the end. In order for a global administrator to consent on behalf of an organisation, so that all users can make use of the “admin consent” permissions, they have to be directed to a new sign in page with the parameter “prompt=admin_consent” set in the query. Unfortunately this is not the case, they’re only consenting for use by their account. If a global administrator signs in, they’ll see a prompt where they can consent permissions – this is slightly confusing as it would imply that the administrator is consenting on behalf of the organisation. If a regular user attempts to sign in, they’ll be confronted with an error message such as:Įssentially the error “AADSTS90093: Calling principal cannot consent due to lack of permissions” indicates that a global administrator needs to sign in an consent on behalf of the organisation before users can sign in. What this means is that in order for a regular user (ie a user that is not a global administrator for the tenant) to sign in, a global administrator must first sign in and consent to permission on behalf of the organisation. You’ll notice in the previous image that there is a green tick in the “Requires Admin” column. In this post I’m going to extend this permission set to include the “Read directory data” permission. This can be viewed in the Azure portal by extending the Required permissions tab for the application.

The default permission set is a delegated permission that allows the user to sign in and view their own profile. All application registrations are given default permissions to access the Azure Graph API – this was used in my previous post to retrieve information about the signed in user. In the previous posts I’ve discussed authenticating and authorizing a user with Azure Active Directory (Azure AD) using a basic application registration.