I'm trying to use Microsoft AD Azure to log into my web app. I'm using OWIN and have managed to get to the login page - type in the credentials (including an Azure admin credentials) and I get this lovely message:
AADSTS90093: This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I'm not sure what else I can do as it's a very specific error but I've already given it full admin.
Edit - Solved! Although it might be a bit different than for others as it's a bit of a rare case. I was pointing at the wrong version of AD where only the CEO of the business had global admin permissions. Once I had pointed it to a different version of AD (the dev AD - not the corporate AD) everything worked.
Your application requires Admin consent. Try the Grant Permissions button in Azure new portal. Wait a few minutes for it to take effect.
picture
Based on the error message, your app have assigned the application permission to the app which requires the Azure Active Directory admin to give the consent.
You can check the permission like figure below and remove all unnecessary permissions if your app doesn't use.
You can also refer the code sample here to integrate Azure AD with web app.
In addition, if we are developing a single tenant app and register the app from Azure classic portal or new portal, there is no need to grant the permission from the web app. The permission already be granted when we register the app.
Please let me know if it helps.
Related
I am using https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-iwa-v2/active-directory-dotnet-iwa-v2/#step-2-register-the-sample-with-your-azure-active-directory-tenant https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-iwa-v2/active-directory-dotnet-iwa-v2/#step-2-register-the-sample-with-your-azure-active-directory-tenant to generate token and I have followed the procedure as mentioned in the above link. I have provided clientID in appsetting.json file and it keeps keeping
Failed to get user name error.
I have used the admin account to generated the app.
screenshot of error:
Based on our discussion, this issue should have been resolved. I will summarize the solution here.
As the sample overview says:
This sample demonstrates how to use MSAL.NET from apps that run on a
domain joined or AAD joined Windows machine.
So you need to use an AAD joined Windows machine to test this sample.
Firstly, you need to add your Windows machine into your AAD domain.
Then when you run this sample, you may encounter the following error: The user or administrator has not consented to use the application with ID '{appId}' named '{appName}'.
This is because you haven't got user consent for this app in your AAD. You need to call AcquireTokenInteractive instead of AcquireTokenByIntegratedWindowsAuth in line 93 in PublicAppUsingIntegratedWindowsAuthentication.cs file. And then call AcquireTokenByIntegratedWindowsAuth again.
Now you can get the user signed-in on the Windows machine successfully.
Update:
Based on Constraints, IWA supports federated users only, meaning users created in Active Directory and backed by Azure AD. Users created directly in Azure AD, without Active Directory backing (managed users) can't use this authentication flow.
So if you want to use IWA(Integrated Windows Authentication), you need a federated account to test it.
I have access to my Azure AD Portal. I also have an external ASP.NET application which is accessing the Microsoft Graph API. For this purpose I add an App Registration which give me an Application ID and Key to be able to configure my ASP.NET application to authenticate itself against the Graph API.
I need the my ASP.NET application to read groups out of Azure AD. I can authenticate successfully but I get an error saying that I have not enough privileges. Then I go back to the Azure Ad Portal and add permissions to the App Registration I added. This works ok so in the end I have the Graph API response on my ASP.NET application.
Now it comes the issue. I selected too many permissions so I want to use the smallest set of permissions that are necessary for my ASP. So I go the Azure Portal AD again and remove some of the permissions. When I test my app again, I still receive the groups even if I have no permissions selected.
I think this is an issue. Or there's some kind of delay? I don't think so because when the API is working and has the proper permissions I can add a group in Azure AD Portal and instantly see it in my ASP.NET application.
This issue is specially annoying because you can't really test the permissions your app needs.
Thanks.
We have set up an application in AAD.
The application has been granted access to read/write all messages/mails and "read users profiles" and a global admin have pushed the "Grant permissions" button in the portal.
Still We get Access denied error when trying to access
https://graph.microsoft.com/v1.0/users/{myId}/MailFolders/Inbox/ChildFolders
for my userid (myId). The URL works fine in graph explorer when I'm logged in as my own user.
Also, decoding the JWT at jwt.io shows the application id, name and "aud" (https://graph.microsoft.com) - but no roles/scopes.
What have we done wrong?
Ok so I submitted a ticket to Microsoft Support. I haven't received any response yet, but now it all works just fine. I have no idea why, but when I was submitting the ticket this morning a warning was shown that an outage in Azure AD was recently fixed so maybe that is why things didn't work yesterday.
These are delegated permissions... so you will need a user with the same rights and use the credentials of the user in your authorization flow for your app.
The effective rights are the intersection of the user rights and and the rigths of the app.
"Effective permissions are the permissions that your app will have when making requests to an API.
For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (through consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user."
The user also needs permission to use the app in AAD.
If it is not a delegated permission, maybe there is the need for some global admin to grant the consent for all users. "Topic Admins" can only "request" the permissions for the app and the global admin can consent for all users.
I am using Azure Active Directory B2C in an application. When I try to call the azure login page (which is a sign-in policy), I am prompted with the following error:
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: 9e8de233-669b-4495-8678-236216359c58
Timestamp: 2017-02-21 13:51:35Z
AADB2C90068: The provided application with ID 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' is not valid against this service. Please use an application created via the B2C portal and try again.
Any suggestions on how to fix this and allow user to authenticate into the application?
I believe the problem is that you have registered under the tab Applications in the non-B2C portal. Under the "Getting Started" or "Configure" tab you will find a link called "Manage B2C settings". Clicking this will take you to the new Azure portal but logged into the B2C directory instead. Go to "Applications" and register your application there.
Image
I am working on a C# Asp.net site that adds users to Active Directory and assigns them to security groups.
The whole script works great except for one issue. I can add users to groups, but I get an "Access Denied" exception when trying to add the user to a group that the Application Pool's Identity is a member of.
I think it's a windows permissions issue, but I'm not sure what permission is required. We had the same issue in the past when using an older VB script.
Any ideas?
I had this kind of issue with a website designed for active directory management. The execution environment was not allowed to manage AD so far. So, through IIS, we changed the default account to local system, who has full permission (almost, he can't reboot the system for example) and cannot be logged (security first). This works for you are impersonating your website.
If not, You will need an advanced group and user management. AD permissions are very touchy.
Edit:
In your case, using a specific account is not a problem. Check the identity when your admin logs, and use impersonation with Local System. Your application environment will be alright, and only your admin will have an access.