[英]Approve single app in AAD tenant to prevent AADSTS90093 error
I have an AAD 2.0 "converged" app (created via https://apps.dev.microsoft.com ) that only asks for delegated permissions and nothing that requires admin consent. 我有一个AAD 2.0“融合”应用程序(通过https://apps.dev.microsoft.com创建),该应用程序仅请求委派权限,而无需管理员同意。
It is installed and running successfully on a lot of AAD instances that have default settings, but fails to install if an admin has disabled allowing users to consent to apps. 它已在许多具有默认设置的AAD实例上成功安装并运行,但是如果管理员禁用了允许用户同意应用程序的应用程序,则无法安装。
Using the current auth flow, admins can install it just fine (for themselves, not the entire tenant) and regular users see AADSTS90093: An administrator of <tenantDisplayName> has set a policy that prevents you from granting <name of app> the permissions it is requesting. Contact an administrator of <tenantDisplayName>, who can grant permissions to this app on your behalf.
使用当前的身份验证流,管理员可以很好地安装(对于他们自己,而不是整个租户),普通用户请参阅AADSTS90093: An administrator of <tenantDisplayName> has set a policy that prevents you from granting <name of app> the permissions it is requesting. Contact an administrator of <tenantDisplayName>, who can grant permissions to this app on your behalf.
AADSTS90093: An administrator of <tenantDisplayName> has set a policy that prevents you from granting <name of app> the permissions it is requesting. Contact an administrator of <tenantDisplayName>, who can grant permissions to this app on your behalf.
shown at https://docs.microsoft.com/en-us/azure/active-directory/application-sign-in-unexpected-user-consent-error . 如https://docs.microsoft.com/en-us/azure/active-directory/application-sign-in-unexpected-user-consent-error中所示。
The error makes sense, and the two ways to get around this that I can think of are: 该错误是有道理的,而我可以想到的两种解决方法是:
I'm hoping there's another solution where the admin of the tenant in question can selectively allow users to install this particular app, and regular users on all other tenants without this restriction can still install the app just fine without admin consent. 我希望有另一种解决方案,其中有关租户的管理员可以有选择地允许用户安装该特定应用,而没有此限制的所有其他租户的普通用户仍可以在未经管理员同意的情况下很好地安装该应用。
Looking around the Azure Active Directory portal I couldn't find a way to do this, however. 但是,环顾Azure Active Directory门户,我找不到一种方法。 Any help on how to handle this situation would be appreciated. 任何有关如何处理这种情况的帮助将不胜感激。
In order to achieve this: 为了实现这一点:
I'm hoping there's another solution where the admin of the tenant in question can selectively allow users to install this particular app 我希望有另一种解决方案,其中有关租户的管理员可以有选择地允许用户安装此特定应用
you'll need to send the admin specially crafted URL for admin consent. 您需要发送管理员特制的URL,以获得管理员的同意。 From "Azure AD v2 Scopes" documentation : 来自“ Azure AD v2范围”文档 :
https://login.microsoftonline.com/common/adminconsent?client_id=<YOUR_CLIENT_ID>&state=12345&redirect_uri=<YOUR_REDIRECT_URI>
Once an admin goes through this follow, consent is granted for all users in the tenant. 管理员完成此操作后,将为租户中的所有用户授予同意。
This is applicable even if you are not requesting any admin permissions. 即使您不要求任何管理员权限,这也适用。 In the case of User-Delegated permissions, this will: 对于“用户委派”权限,这将:
Based on my understanding, if the admin disable users consent to allow third-party multi-tenant applications access their user profile data in the directory, the admins must consent to these applications before users may use them. 根据我的理解,如果管理员禁用用户同意允许第三方多租户应用程序访问目录中的用户配置文件数据,则管理员必须同意这些应用程序,然后用户才能使用它们。
In this scenario, your app can require the users provide the email of the admin of their tenant and send the admin-consent link to the admin. 在这种情况下,您的应用可能会要求用户提供其租户管理员的电子邮件,并将管理员同意链接发送给管理员。
I'm hoping there's another solution where the admin of the tenant in question can selectively allow users to install this particular app 我希望有另一种解决方案,其中有关租户的管理员可以有选择地允许用户安装此特定应用
This feature is similar to give the admin_consent to that app. 此功能类似于为该应用提供admin_consent。 And if you have any idea or feedback about Azure AD, you can submit them from here . 并且,如果您对Azure AD有任何想法或反馈,可以从此处提交。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.