Multi-tenant Azure AD Authentication Permission Error
Question
I am new to Azure AD authentication. I have created a app in azure and made it multi-tenant and set its permissions as follow
Sign in and read user profile
Read directory data
Here is my Startup.Auth.cs code
public partial class Startup
{
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
private string graphResourceID = "https://graph.windows.net";
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private string authority = aadInstance + "common";
private ApplicationDbContext db = new ApplicationDbContext();
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions { });
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
// instead of using the default validation (validating against a single issuer value, as we do in line of business apps),
// we inject our own multitenant validation logic
ValidateIssuer = false,
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
SecurityTokenValidated = (context) =>
{
return Task.FromResult(0);
},
AuthorizationCodeReceived = (context) =>
{
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(aadInstance + tenantID, new ADALTokenCache(signedInUserID));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceID);
return Task.FromResult(0);
},
AuthenticationFailed = (context) =>
{
context.OwinContext.Response.Redirect("/Home/Error");
context.HandleResponse(); // Suppress the exception
return Task.FromResult(0);
}
}
});
}
}
But when I try to run application and login then it gives me error
You can't access this application
XXXXXXX needs permission to access resources in your organization that only an admin can grant.
Please ask an admin to grant permission to this app before you can use it.
Have an admin account? Sign in with that account
Return to the application without granting consent
1 answers
solution1
1 2017-07-15 14:44:25
An Admin has to Grant permissions first so that other users would be able to access the resources. Try following steps
- Login to portal as Admin
- Go to your App registration blade
- Click
Required Permissions - In the permissions blade on top click
Grant Permissionslink. - Read the confirmation message and click OK.
Now try to login with Non-Admin User.
Hope this article helps.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
ADAL Authentication Error Multi-Tenant
Single tenant to multi-tenant
Web API Authentication with multi-tenant data access
Azure AD App Authentication Successfully Authenticating all Apps in Same Tenant Without Delegation/White-listed Permission
.Net Core Azure AD single tenant Authentication
Azure AD Multi Tenant ,.Net Core Web API with MSAL(Microsoft Authentication Libary)
Multi-Tenant physical isolation
IdentityRole in multi-tenant application
Multi-Tenant Architecture for MVC 4
Multi-tenant entity filtration
Related Tags