Forum Discussion

Russell Meyer's avatar
Russell Meyer
Brass Contributor
Nov 14, 2017

Unable to grant O365 users access to Tech Community

Has any one ran into issues authorizing Tech Community with federated IDs? If I log in with a GA, gives me some warnings about access, etc...if I accept, the account I good but others in the tenant, not so much

 

states:

You can't access this application
MS Tech Comm needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

AADSTS90094: The grant requires admin permission.

 

if I drill into AAD I see the app but its specific to the GA account, and when I allow graph the same permissions for the tenant, no love...I saw some docs about a parameter that needs to be placed in the auth url but didn't work

  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    I would not recommend using company accounts to access this community because if you leave the company , you will lose all of your history in this community. 

    • Adrienne Andrews's avatar
      Adrienne Andrews
      Brass Contributor

      Hi Dean, I so wish I had known this when I signed up to the community originally!  I was a founding member and member of the week - but all that is gone since changing jobs.  Frankly, I don't even see the benefit of linking to Office 365 if there is no way to port your profile to another account or tenant.  Guess lesson learned going forward!

  • You as the admin can consent to the app. Go to the Azure AD blade, navigate to the app in question (O365 Network or MS Tech Comm), Properties, check the value of the "User assignment required?" toggle. Should be set to No.

      • VasilMichev's avatar
        VasilMichev
        MVP

        Switch it to No, try accessing the MTC with your admin account and consent to the app. If no consent prompt appears, try triggering it manually via this link:

         

        https://login.microsoftonline.com/common/adminconsent/?client_id=09213cdc-9f30-4e82-aa6f-9b6e8d82dab3&redirect_uri=https%3A%2F%2Ftechcommunity.microsoft.com%2Fauth%2Foauth2callback&response_type=code&state=https%3A%2F%2Ftechcommunity.microsoft.com%2F&scope=User.Read+openid+email+profile+offline_access

         

         

        The "adminconsent" part makes sure that it will trigger the correct flow.

         

        And a disclaimer to never click such links without double and triple-checking to what you are consenting :)

Resources