[英]Azure AD user login to an app fails even after admin consent is given for the multitenant app
I have registered a sample multi-tenant app in azure portal app registration requiring certain permissions to access outlook mails.我在 azure 门户应用程序注册中注册了一个示例多租户应用程序,需要某些权限才能访问 outlook 邮件。 I also have a SAAS application which uses this app and requests for oauth token from users to read and send emails using outlook.我还有一个 SAAS 应用程序,它使用此应用程序并请求用户提供 oauth 令牌,以使用 outlook 阅读和发送电子邮件。
There is a tenant with a set of users who want to use my app for configuring emails in the SAAS application.有一组用户想要使用我的应用程序在 SAAS 应用程序中配置电子邮件的租户。 But the users in the tenant do not have admin privileges to give consent to the application.但是租户中的用户没有管理员权限来同意该应用程序。 Based on MS documentation , admin has to give consent to the application using the v2-permissions-and-consent根据MS 文档,管理员必须使用 v2-permissions-and-consent 同意应用程序
Admin has given consent to the application by using the following URL:管理员已使用以下 URL 同意该应用程序:
https://login.microsoftonline.com/{tenant ID}/v2.0/adminconsent?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxb&state=12345&redirect_uri=https://c9713e1c5859.ngrok.io/auth/outlook/callback&scope=https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send&response_type=code https://login.microsoftonline.com/{tenant ID}/v2.0/adminconsent?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb&state=12345&redirect_uri=https://c9713e1c5859.ngrok.io/auth/outlook/callback&scope=https://outlook.office .com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send&response_type=code
Admin consented permissions: consented permissions管理员同意的权限:同意的权限
Even after admin gives consent to all the permissions that the app requests and adds the users to the configured enterprise application in Azure AD, the users are shown the approval prompt when they try to login to the application.即使在管理员同意应用程序请求的所有权限并将用户添加到 Azure AD 中配置的企业应用程序后,用户在尝试登录应用程序时仍会显示批准提示。
Approval prompt shown to the users: approval prompt向用户显示批准提示:批准提示
Ideally, once the app is approved in Azure AD Enterprise Applications, all the other users in the tenant should be able to use the application without any consent requirement.理想情况下,一旦应用程序在 Azure AD 企业应用程序中获得批准,租户中的所有其他用户应该能够在没有任何同意要求的情况下使用该应用程序。
The oauth URL that users use to login is用户用来登录的oauth URL是
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fc9713e1c5859.ngrok.io%2Fauth%2Foutlook%2Fcallback&response_type=code&scope=offline_access+https%3A%2F%2Foutlook.office.com%2FUser.Read+https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office.com%2FSMTP.Send&state=5bfc1a7683bfa19468e7d4d67fc6893e5a00f93efe31ca51 https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fc9713e1c5859.ngrok.io%2Fauth%2Foutlook%2Fcallback&response+https%A_type= 2F%2Foutlook.office.com%2FUser.Read+https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office.com%2FSMTP.Send&state=5bfc1a7683bfa19468e7d4d67fc6893e5a00f93efe31ca51
Could anyone help me understand what I am missing here?谁能帮我理解我在这里缺少什么?
It should be agreed by the target tenant administrator, and then use the target tenant to log in.应征得目标租户管理员同意,然后使用目标租户登录。
{tenant ID}
, it should be target tenant id.在下面的 url 中,您应该使用了错误的{tenant ID}
,它应该是目标租户 ID。 Not the tenant id where your app is located.不是您的应用所在的租户 ID。https://login.microsoftonline.com/{tenant ID}/v2.0/adminconsent?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxb&state=12345&redirect_uri=https://c9713e1c5859.ngrok.io/auth/outlook/callback&scope=https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send&response_type=code
I have tested it, then reproduced your problem.我已经测试过了,然后重现了你的问题。 If you need further help, please let me know.如果您需要进一步的帮助,请告诉我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.