Azure Resource Manager API Permissions for Subscription Co-Admin

Question

I am trying to create a asp.net core based solution using the Azure Resource Manager API libraries to manage resources on a single subscription.

When I try to authenticate using an subscription co-administrator account I receive permissions errors. Below is the steps I have tried.

Created a project based on following examples: https://github.com/pratapbhaskar/azure-resource-manager-active-directory https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-api-authentication

In management portal:

1. Created active directory app entry.
2. Set AD app entry Multi-tenanted to True.
3. Give AD app entry Azure Active Directory read profile permissions.

Tried logging in to application using subscription co-admin account and received the following error:

AADSTS65005: The client application has requested access to resource 'https://management.core.windows.net/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.

Attempted fix:

1. Open AD app and add permissions for: "Windows Azure Service Management API"
2. Add delegated permissions "Access Azure Service Management as organization users (preview)"

Tried logging in to application using subscription co-admin account and received the following error:

AADSTS90093: This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

Answer 1

Based on the error message, the app you have config which require the admin to give the consent and the login-in account is not the Global admin in its tenant.

Please ensure that the app doesn't grant the other's application which need the admin to give the consent.

I download the code sample and config the app with the figure below, and I am able to login the app successfully: