Admin consent is being raised for permissions which are not required admin consent

%3CLINGO-SUB%20id%3D%22lingo-sub-830808%22%20slang%3D%22en-US%22%3EAdmin%20consent%20is%20being%20raised%20for%20permissions%20which%20are%20not%20required%20admin%20consent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-830808%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CDIV%20class%3D%22js-vote-count%20grid--cell%20fc-black-500%20fs-title%20grid%20fd-column%20ai-center%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22post-text%22%3E%3CP%3EWe%20are%20integrating%20the%20microsoft%20graph%20to%20fetch%20the%20contacts%20of%20signed-in%20user%20through%20microsoft%20graph%20SDK%20but%20I%20one%20thing%20here%20is%20that%20we%20are%20using%20our%20implemented%20OAuth2.0%20protocol%20for%20authentication%20in%20microsoft%20graph%20instead%20of%20Auth%20using%20given%20JS%20SDK%20with%20following%20permissions%20which%20are%20registered%20on%20Azure%20Active%20Directory%3C%2FP%3E%3CP%3Escope%20%3D%20offline_access%20Contacts.Read%20Contacts.Read.Shared%3C%2FP%3E%3CP%3EProblem%20%3A%20Admin%20consent%20should%20not%20be%20shown%20to%20user%20when%20registered%20permissions%20are%20not%20required%20admin%20consent.%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-830808%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20Graph%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-982013%22%20slang%3D%22en-US%22%3ERe%3A%20Admin%20consent%20is%20being%20raised%20for%20permissions%20which%20are%20not%20required%20admin%20consent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-982013%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F400890%22%20target%3D%22_blank%22%3E%40jkhan540%3C%2FA%3E%26nbsp%3BIt%20is%20possible%20that%20the%20tenant%20you%20are%20testing%20your%20application%20has%20disabled%20user%20consent.%20It%20is%20actually%20documented%20as%20a%20best%20practice%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fsteps-secure-identity%23block-end-user-consent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fsteps-secure-identity%23block-end-user-consent%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20user%20consent%20is%20disabled%20then%20you%20will%20receive%20the%20same%20AADSTS90094%20error%20which%20is%20documented%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Faaddevsup%2F2018%2F05%2F08%2Freceiving-aadsts90094-the-grant-requires-admin-permission%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.msdn.microsoft.com%2Faaddevsup%2F2018%2F05%2F08%2Freceiving-aadsts90094-the-grant-requires-admin-permission%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi,

 

We are integrating the microsoft graph to fetch the contacts of signed-in user through microsoft graph SDK but I one thing here is that we are using our implemented OAuth2.0 protocol for authentication in microsoft graph instead of Auth using given JS SDK with following permissions which are registered on Azure Active Directory

scope = offline_access Contacts.Read Contacts.Read.Shared

Problem : Admin consent should not be shown to user when registered permissions are not required admin consent.

1 Reply
Highlighted

@jkhan540 It is possible that the tenant you are testing your application has disabled user consent. It is actually documented as a best practice here: https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-co...

 

If user consent is disabled then you will receive the same AADSTS90094 error which is documented here: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/08/receiving-aadsts90094-the-grant-requires-admin...