Azure Active Directory Login: Web App Permissions, User Consent not triggered

4.7k views Asked by At

I have currently set up a AAD instance and I am authenticating my users against it via my web app, and it’s working great.

When I added and configured the application on AAD, I added the required Application and Delegated Permissions to access the Office365 Calendar API. However, the only thing that is missing is that during the login flow users aren’t being prompted to grant consent for the permissions, as it should happen from what I’ve read in your docs: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Consent

I’m not sure what I’m missing. Apparently, from the docs,

After the user has signed in, Azure AD will determine if the user needs to be shown a consent page. This determination is based on whether the user (or their organization’s administrator) has already granted the application consent. If consent has not already been granted, Azure AD will prompt the user for consent and will display the required permissions it needs to function. The set of permissions that is displayed in the consent dialog are the same as what was selected in the Permissions to other applications control in the Azure Management Portal.

So maybe somehow I have already probably implicitly granted admin consent for those permissions, but I don’t know how that happened.

I've attached the permissions I configured on the AAD App.

Permissions-1 Permissions-2 Permissions-3

Any help would be appreciated.

2

There are 2 answers

1
Shawn Tabrizi On BEST ANSWER

If an admin creates an application in their tenant using the AUX portal (manage.windowsazure.com), and requests permissions to other applications, then users in that same tenant are pre-consented for that application. Note this behavior is NOT true for our other App Registration Portals (portal.azure.com or identity.microsoft.com)

I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. If you would like to push the consent dialogue experience, there are a few different things you can do:

  1. You can use query strings to prompt "consent" or "admin_consent" during login. Check here: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
  2. You can delete the service principal for your application from your tenant using AAD PowerShell. You can learn how to do that here: https://msdn.microsoft.com/en-us/library/azure/dn194113.aspx
  3. You can have a user from another tenant try to login to your multi-tenant application.
  4. You can create your application under a non-admin account.

I hope this helps!

Shawn Tabrizi

0
RuubW On

Try this:

What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification

Changing the resource parameter to https://graph.windows.net did the trick for me.

Furthermore, Microsoft support suggests disabling all permissions except "Enable sign-on and read users' profiles", apparently to avoid permission related problems. I understand that this is not a solution in your case, but at least it gives you a test case.