Grant Administrator consent to Azure AD Application

As I discovered while developing a new application that needed to utilize SfB Online API, that the application needs to have consent from an administrator in order to be able to authenticate the user to use SfB Online API.
Every time I tried to login with a non-admin user, i was hit with several problems.

Prerequisites

Problem 1: Admin Consent

AADSTS90093: Calling principal cannot consent due to lack of permissions.
or
AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

Sure this error does explain what the problem is, but for me it was hard to determine how to solve it.

Probable Solution
I tried to give my current user admin rights to AAD. It worked.
NOTE: Users needs to be assigned administrator rights at the AAD level, AAD groups does not make real difference here.

In an one man shop or a bit smaller organization, this might not be a problem. But if you have a bit larger organization, this is going to be a real problem, you cannot give all the users in your organization admin rights.
Sure you could give all the users admin rights first time they needed to login to your application, but that would be a nightmare scenario for system administrators, as it will involve a lot of overhead. And they have to remember to remove the privilege.

Conclusion
Not a good solution, need to research more.

Problem 2: Admin level

AAD have two different admin levels:
– Global Administrator: Has full control over AAD and Azure subscription.
– Limited Administrator: Can be limited to functions

The problem now was, in order to give consent user needs to be a Global Administrator, Limited Administrator is not enough.

Conclusion
Not a good solution, need to research more.

Solution

After going throw several blog posts, SfB Online documentation and AAD documentation, I figured that I might need to create a new URL, only for admins.
The problem might have been me to start with, that I needed to go throw the documentation more thoroughly.

https://login.microsoftonline.com/common/oauth2/authorize?
client_id=<CLIENT-ID>
&redirect_uri=<REDIRECT-URI>
&resource=<RESOURCE-ID>
&response_type=code
&response_mode=form_post
&prompt=admin_consent

Parameter Description
CLIENT-ID Client Id/Application Id
REDIRECT-URI Redirect URL you configured while registering application
RESOURCE-ID IMPORTANT Resource you want admin to grant consent for

For more information on parameters that can be passed check Azure AD documentation and SfB Online documentation.

After signing-in to Azure (from your generated URL), Global Administrator will see this:
AzureConsent01-AdminConsent

After an Global Administrator has granted the consent for your application to use the requested resources, your users will be able to login and use your application.

Leave a Reply