Reputation: 31
How to fix " AADSTS90094: This application requires application permissions to another application" error after giving admin consent
I recently requested new application permissions in my multi-tenanted Azure AD App so that I can access the Graph API. I'm using adal.js to authentication users in a web app, while the actual requests to Graph are made on a node server using adal-node and a certificate.
The new permissions work. I'm able to access Graph using application permissions, and have not had any issues with node server.
The problem is that now whenever admins login to the web app (using `adal.js), they get presented with the consent screen, no matter how many times they consent. Non-admin users are presented with the "Need Admin Approval" screen whenever they login, stopping them from being able to login at all.
I've tried this across different tenancies with the same results. I've also tried approving the permissions through azure.portal.com and removing the app entirely from a tenancy and approving them again.
I've also tried taking away the new permissions and reverting to the old permissions. No matter what, users are hitting the "Need admin approval" screen.
User login code
public login(): void {
this.adalContext.login();
}
Admin login code
public adminLogin(): void {
this.adalContext.config.displayCall = (urlNavigate) => {
let url = urlNavigate + "&prompt=admin_consent";
this.adalContext.promptUser(url);
};
this.adalContext.login();
}
To be clear, this app had been running fine for over a month. It's only once I changed the permissions that this began happening.
Upvotes: 1
Views: 1916
Answers (1)
Reputation: 31
The answer to this question ended up helping me: Why Azure AD fails to login non-admins in multi-tenant scenario?
Since I was requesting only application permissions, Azure AD defaults to always asking for consent whenever a user logs in. Once I added one delegated permission (Microsoft.Graph.User.Read), the consent prompt disappeared.
I must have accidentally missed this permission while going through the process of adding and removing them during my troubleshooting.
Upvotes: 1
Related Questions
- Azure AD app Need admin approval error: App needs permission to access resources in your organization that only an admin can grant
- ErrorAccessDenied when using app with all permissions
- How to grant Azure AD application permissions between two apps without requiring admin consent?
- Why my app is asking for permissions not configured in Azure AD App
- Unable to grant admin consent for app in Azure AD despite being Application Adminstrator
- AADSTS700016 Adal problem with wrong tenant directory
- uncaught exception: AADSTS65001: even though I've re-authorized the app as an admin
- Azure AD: Failed to grant permission for application
- AAD Application Permission issue
- ADAL user consent triggered even when admin has already consented