I've created an application in https://apps.dev.microsoft.com (Platforms: Web)
This app needs the admin consent for certain permissions. I remember, in the past, accessing https://login.microsoftonline.com/{tenant name}/adminconsent?client_id={application id}&state={some state data}&redirect_uri={redirect uri} with an admin account in order to give permission to access resources in our organization that only an admin can grant. From there, users needed to give user-level consent in order to use the application.
Now, I can successfully login with an admin account and the app works as expected BUT I still get a prompt, for users, with the following message:
You can't access this application
APP NAME needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
Have an admin account? Sign in with that account
Return to the application without granting consent
The error message is: AADSTS90094: The grant requires admin permission. which doesn't seem to be documented anywhere..
If I click on the Have an admin account? Sign in with that account and sign in with an admin account, it works but trying again with a regular user account I get the above message again.
EDIT:
So I stripped permissions down to a bare minimum.
Scopes in my application are now: openid, profile, user.read
And Microsoft Graph Permissions are now, for Delegated Permissions: Mail.Send, User.Read. Nothing in Application Permissions and I STILL get the above message for regular users!
Anybody from Microsoft have some info on the AADSTS90094 error code?
OK, so I ended up contacting Microsoft support for this since, as of this date, there is no information on this error message.
To put it briefly, Microsoft has made some recent changes with regards to permissions. In the past, if your app required any of the openid, profile or offline_access, you could just place them in your app as scopes, they weren't available on https://apps.dev.microsoft.com. An admin would've given consent and your app would function properly.
What you should now do is mirror your app's scopes with the permissions you have on https://apps.dev.microsoft.com or else you'll keep on getting that error message so make sure you have the same thing on both sides now, especially if you're used to the old behavior.
Those three scopes/permissions (openid, profile and offline_access) can now be selected for your app on the dev portal.
The admin consent endpoint doesn't help in dynamic scope and dynamic consent scenario .
Using the admin consent endpoint will grant the permissions registered in the app registration portal . You can locate Microsoft Graph Permissions section, and then add the permissions that your app requires. After doing admin consent by using the admin consent endpoint , your app can gather permissions for all users in a tenant, including admin-restricted scopes .
I am using MSAL and the 2.0 endpoint (login.microsoft...), I am developing a Multi-Tenant Application.
My Organization has 2 Tenants
One of them is essentially our Dev instance (and I have global admin rights). I registered my app in the Tenant that I don't have Admin Rights on and performed Admin Consent for said app in the Tenant where I can perform the Consent myself. My users can Login Successfully and have consent to the resources they need.
However, when I created the App Registration (all Converged Apps on apps.dev.mic) from the account where I have global admin rights, the login for my users gets the AADSTS90094 Error.
The only way I've come to "resolve" this error is,
On Initial Login to the application the scope would be openid the user then consents to that, when that is completed I have to do another login with the scope defined for the application and everything works. Obviously that UX is wonky to say the least.
Related
I created web app with Single Sign On (SSO) using Azure AD. I implemented solution with OAuth 2.0.
I tested my solution with my testing Azure AD - its working fine! But when I started using it on my clients Azure AD account I got an error:
Need admin approval
--Application Name-- needs permission to access resources in your organization that only an admin can grant. Please, ask an admin to
grant permission to this app before you can use it.
I have set API permission for this application in:
User.Read, email, offline_access, openid, profile
But error still the same.
Can somebody help me? What permission do I need to set for my app on my client's Azure AD account?
I have an application, that is registered in facebook, and I want to ask the users for manage_pages permission. I failed to do obtain the token both with the PHP facebook SDK
$loginUrl = new FacebookRedirectLoginHelper($myLoginUrl)->getLoginUrl(['manage_pages']);
And using just plain HTTP:
https://www.facebook.com/dialog/oauth?scope=manage_pages,user_tagged_places&client_id=MY_CLIENT_ID&redirect_uri=MY_REDIRECT_URI
The first signal that something is wrong is that the facebook popup asks
only for public_profile, second signal is that once I obtain the access_token token and run it through https://graph.facebook.com/debug_token?input_token=OBTAINED_TOKEN
it only displays public_profile
Do I need to change the settings of my Facebook application to ask users for manage_pages?
The problem was that the application is not yet reviewed by facebook and the accounts I was testing it do not have any role in the app.
Relevant documentation part: more here
If your app requests this permission Facebook will have to review how your app uses it. You can grant this permission on behalf of people listed within the Roles section of your App's Dashboard without review by Facebook.
My app allows to a signed user to post a custom message on his wall.
The app only works with the account which holds the app and the users marked as testers, but for regular users it seems that the APP can't get publish_actions permission. For tester users when the guy logs in first it asks for regular permissions and the second windows is the message that the app wants to publish on the wall, this second message never happens for regular users.
I've submited my app for review (although the website is not on a public server) and it got rejected for not explaining well how the user use this right. Does the app have to be approved here to work... or is this just for showing up on the facebook searcher and stuff...??
Thanks
In order for permissions to be approved, you must:
Make sure the website or application is accessible to the public (so Facebook can test). The app can be on a private / unpublished page.
Provide detailed instructions and screenshots on how the permission is used. This is so that Facebook can check to see if it complies with the Platform Policies and that the app is not spammy
Make sure your app complies with the Platform Policies before submitting for review.
For the purpose of review, you should make the application available to the public. Once the permission is approved, you can then remove public access to the application.
I understand that to use the Admin SDK only works with OAuth2.0 protocol, which requires that the logged on to Google and use the credentials that are created in developer console. My situation is that I'm implementing a process to enlist employees in our application and create an account in google, but not all our users have admin permission to enlist google accounts.
I made my user functionality and working properly (because my user is admin) but when upload it to production, another user could not create the user accounts when creating an employee, send the error that had no permissions to use the resource / API, obviously this person did not have administrator permissions.
So how do I send the credentials of an administrator account from server-side so that they can create user accounts on google?
not what I mean?
translated with Google Translate
There are two options available:
1) Store an admin's credentials.
In this method, you have an admin account go through a special authorization flow, and store their access_token and refresh_token in your database. Whenever you need to make a request that requires admin privileges, use the admin's stored credentials instead of the user's credentials.
2) Use a service account to impersonate an admin.
Service accounts can be granted domain-wide authority, allowing them to impersonate any user in the domain. When you need to make a request that requires admin privileges, use the service account to impersonate a domain administrator.
Option #1 is much simpler to code against, but requires a special admin flow in your application.
Open Google Console and select your project. You will find permission menu. When you will add a member at the time you have to give permissions there.
I have developed a test facebook app. Its working fine if I login and access it but if another user login and use the same app it creating error... what could be the issue.
Most likely you have the Application in Sandbox mode:
If enabled, only the developers of
your app will be able to sign in to
your app
You need to add that "other" user at least as a Tester in your Application's "Manage Users" section under the About tab.
More about access levels can be found here.