[英]Azure app incorrectly requesting admin consent?
I'm hoping someone has some insight into an issue I'm having with a newly registered app within Microsoft's Azure Portal ( portal.azure.com ).我希望有人对我在 Microsoft 的 Azure 门户 ( portal.azure.com ) 中新注册的应用程序遇到的问题有所了解。
My issue on login when I get the following dialog当我收到以下对话框时,我的登录问题
The error code and message appears in the lower right corner;错误代码和信息出现在右下角;
AADSTS90094: This operation can only be performed by an administrator. AADSTS90094:此操作只能由管理员执行。 Sign out and sign in as an administrator or contact one of your organization's administrators.注销并以管理员身份登录或联系您组织的管理员之一。
Configuration-wise, I believe I have this setup to not require admin consent, however there maybe something I'm missing.配置的角度来看,我相信我有这个设置不要求管理员同意,但有可能我丢失的东西。
My app is configured with;我的应用程序配置为;
Id Token, single tenant (web) application ID 令牌,单租户(Web)应用程序
Delegated, user consent permissions with no admin permissions无管理员权限的委派用户同意权限
With the enterprise application, the configuration is set to;对于企业应用,配置设置为;
Yes
允许用户登录: Yes
Yes
需要用户分配: Yes
Yes
对用户可见: Yes
Default Access
role已添加 4 个具有Default Access
角色的用户No
(as they are assigned)允许用户请求访问此应用程序: No
(因为他们已分配) Last of all, within the azure directory itself under the Enterprise applications - User settings configuration I have set the company data user consent to Yes
最后,在企业应用程序下的 azure 目录中- 用户设置配置我已将公司数据用户同意设置为Yes
When I navigate to either my application URL, or from the app within myapps.microsoft.com
, both give me the above dialog requesting an admin consent.当我导航到我的应用程序 URL 或从myapps.microsoft.com
的应用程序时,两者都会给我上面的对话框,请求管理员同意。
I don't want to grant admin consent if not required, as it seems a bit like using a sledgehammer to solve the problem.如果不需要,我不想授予管理员同意,因为这似乎有点像使用大锤来解决问题。
I feel like I'm either missing something big, or doing something silly - please help, and let me know if I can provide further information.我觉得我要么错过了一些重要的事情,要么做了一些愚蠢的事情 - 请帮忙,如果我能提供更多信息,请告诉我。
Edit 1.1:编辑 1.1:
My authentication request URL is: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<clientid>&redirect_uri=<redirecturi>&response_mode=form_post&response_type=code id_token&scope=openid email profile offline_access User.Read User.ReadBasic.All Mail.ReadWrite&state=OpenIdConnect.AuthenticationProperties=<gibberish>&nonce=<gibberish>&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0
我的身份验证请求 URL 是: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<clientid>&redirect_uri=<redirecturi>&response_mode=form_post&response_type=code id_token&scope=openid email profile offline_access User.Read User.ReadBasic.All Mail.ReadWrite&state=OpenIdConnect.AuthenticationProperties=<gibberish>&nonce=<gibberish>&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0
(I'm using ASP.NET MVC combined with Microsoft's OpenId Connect authentication library) (我使用 ASP.NET MVC 结合 Microsoft 的 OpenId Connect 身份验证库)
When a user consents to an application which does not require assignment (in a tenant where user consent is allowed, and for an application requesting only permissions which do not require admin consent), two things happen:当用户同意不需要分配的应用程序(在允许用户同意的租户中,并且对于仅请求不需要管理员同意的权限的应用程序)时,会发生两件事:
The second step may seem surprising, but it serves a simple role: it ensures the user sees apps they've consented to in the Azure AD Access Panel ( https://myapps.microsoft.com ).第二步可能看起来令人惊讶,但它的作用很简单:它确保用户在 Azure AD 访问面板 ( https://myapps.microsoft.com ) 中看到他们已同意的应用程序。 (The Azure AD Access Panel will show a user all apps they are assigned to.) (Azure AD 访问面板将向用户显示他们分配给的所有应用。)
It would defeat the purpose of the "user assignment is required" control if users could cause themselves to be assigned by triggering user consent.如果用户可以通过触发用户同意来分配自己,这将违背“需要用户分配”控制的目的。 So, currently, when an application is set to require user assignment, users are simply not allowed to consent to the application.因此,目前,当应用程序设置为需要用户分配时,根本不允许用户同意该应用程序。
Today, you have two options:今天,你有两个选择:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.