批准AAD租户中的单个应用以防止AADSTS90093错误

Question

I have an AAD 2.0 "converged" app (created via https://apps.dev.microsoft.com ) that only asks for delegated permissions and nothing that requires admin consent.

It is installed and running successfully on a lot of AAD instances that have default settings, but fails to install if an admin has disabled allowing users to consent to apps.

Using the current auth flow, admins can install it just fine (for themselves, not the entire tenant) and regular users see AADSTS90093: An administrator of <tenantDisplayName> has set a policy that prevents you from granting <name of app> the permissions it is requesting. Contact an administrator of <tenantDisplayName>, who can grant permissions to this app on your behalf. AADSTS90093: An administrator of <tenantDisplayName> has set a policy that prevents you from granting <name of app> the permissions it is requesting. Contact an administrator of <tenantDisplayName>, who can grant permissions to this app on your behalf. shown at https://docs.microsoft.com/en-us/azure/active-directory/application-sign-in-unexpected-user-consent-error .

The error makes sense, and the two ways to get around this that I can think of are:

1. Have the tenant admin change the setting to allow users to consent to all apps.
2. Request admin consent in the OAuth flow so admins can approve the scopes for all regular users.

I'm hoping there's another solution where the admin of the tenant in question can selectively allow users to install this particular app, and regular users on all other tenants without this restriction can still install the app just fine without admin consent.

Looking around the Azure Active Directory portal I couldn't find a way to do this, however. Any help on how to handle this situation would be appreciated.

Answer 1

In order to achieve this:

I'm hoping there's another solution where the admin of the tenant in question can selectively allow users to install this particular app

you'll need to send the admin specially crafted URL for admin consent. From "Azure AD v2 Scopes" documentation :

https://login.microsoftonline.com/common/adminconsent?client_id=<YOUR_CLIENT_ID>&state=12345&redirect_uri=<YOUR_REDIRECT_URI>

Once an admin goes through this follow, consent is granted for all users in the tenant.

This is applicable even if you are not requesting any admin permissions. In the case of User-Delegated permissions, this will:

• In tenants where user consent is enabled, prevent every user to be prompted for consent and will just let them use the application.
• In tenants where user consent is disable, users will no longer block the user and let them use the application.

Answer 2

Based on my understanding, if the admin disable users consent to allow third-party multi-tenant applications access their user profile data in the directory, the admins must consent to these applications before users may use them.

In this scenario, your app can require the users provide the email of the admin of their tenant and send the admin-consent link to the admin.

I'm hoping there's another solution where the admin of the tenant in question can selectively allow users to install this particular app

This feature is similar to give the admin_consent to that app. And if you have any idea or feedback about Azure AD, you can submit them from here .