Unable to grant O365 users access to Tech Community

Brass Contributor

Has any one ran into issues authorizing Tech Community with federated IDs? If I log in with a GA, gives me some warnings about access, etc...if I accept, the account I good but others in the tenant, not so much

 

states:

You can't access this application
MS Tech Comm needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

AADSTS90094: The grant requires admin permission.

 

if I drill into AAD I see the app but its specific to the GA account, and when I allow graph the same permissions for the tenant, no love...I saw some docs about a parameter that needs to be placed in the auth url but didn't work

14 Replies

You as the admin can consent to the app. Go to the Azure AD blade, navigate to the app in question (O365 Network or MS Tech Comm), Properties, check the value of the "User assignment required?" toggle. Should be set to No.

its set to no...even flipped to yes and assigned, no love

Switch it to No, try accessing the MTC with your admin account and consent to the app. If no consent prompt appears, try triggering it manually via this link:

 

https://login.microsoftonline.com/common/adminconsent/?client_id=09213cdc-9f30-4e82-aa6f-9b6e8d82dab3&redirect_uri=https%3A%2F%2Ftechcommunity.microsoft.com%2Fauth%2Foauth2callback&response_type=code&state=https%3A%2F%2Ftechcommunity.microsoft.com%2F&scope=User.Read+openid+email+profile+offline_access

 

 

The "adminconsent" part makes sure that it will trigger the correct flow.

 

And a disclaimer to never click such links without double and triple-checking to what you are consenting :)

most of that URL makes sense and I had it about 90% there but kept getting errors, but the client ID, where is that derived from?
so basically take replace "common/oauth2/v2.0/authorize" with "common/adminconsent" that is provided in URL for login...

Yup, replace the endpoint. The ClientID is the identifier of the application - you can compare it against what you are seeing in the Azure AD portal for the MS Tech Comm app.

 

Again, pay attention to what you are consenting, as there have been some baddies exploiting this already :)

still no love...it did change the prompt to allow for whole org in the permissions warning...clicked on that and it kicked me out...will keep messing around with it...its not the best documented item from what I can tell...but then again with the security aspect, I can see why

Um, well that's about as much as I can help you with all this, I'm not a dev and the whole app model is still something I'm not as familiar with. Maybe open a support case?

will do, thanks!

Let us know what the solution is.

Any News on the issue?

none yet...been busy with other items in 365 land...

I would not recommend using company accounts to access this community because if you leave the company , you will lose all of your history in this community. 

Hi Dean, I so wish I had known this when I signed up to the community originally!  I was a founding member and member of the week - but all that is gone since changing jobs.  Frankly, I don't even see the benefit of linking to Office 365 if there is no way to port your profile to another account or tenant.  Guess lesson learned going forward!