Life's random bits By b1thunt3r (aka Ishan Jain)…
Grant Administrator consent to Azure AD Application

Grant Administrator consent to Azure AD Application

Ishan jain
As I discovered while developing a new application that needed to utilize Skype for Business Online API, that the application needs to have consent from an administrator in order to be able to authenticate the USER to use Skype for Business Online API.

Every time I tried to login with a non-admin user, I was hit with a problems.

Prerequisites

AADSTS90093: Calling principal cannot consent due to lack of permissions.

or

AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

Sure this error does explain what the problem is, but for me it was hard to determine how to solve it.

Probable Solution

I tried to give my current user admin rights to Azure Active Directory. It worked.

NOTE: Users needs to be assigned administrator rights at the Azure Active Directory level, Azure Active Directory groups does not make real difference here.

In an one man shop or a smaller organization, this might not be a problem. But if you have a larger organization, this is going to be a real problem, you cannot give all the users in your organization admin rights. Sure you could give all the users admin rights first time they needed to login to your application, but that would be a nightmare scenario for system administrators, as it will involve a lot of overhead. And they have to remember to remove the privilege.

Conclusion

Not a good solution, need to research more.

Problem 2: Admin level

Azure Active Directory have two different admin levels:

  • Global Administrator: Has full control over Azure Active Directory and Azure subscription.
  • Limited Administrator: Can be limited to functions

The problem now was, in order to give consent user needs to be a Global Administrator. Limited Administrator is not enough.

Conclusion: Problem 2

Not a good solution, need to research more.

Solution

After going throw several blog posts, Skype for Business Online documentation and Azure Active Directory documentation, I figured that I might need to create a new URL, only for admins. The problem might have been me to start with, that I needed to go throw the documentation more thoroughly.

https://login.microsoftonline.com/common/oauth2/authorize?
    client_id=<CLIENT-ID>
    &redirect_uri=<REDIRECT-URI>
    &resource=<RESOURCE-ID>
    &response_type=code
    &response_mode=form_post
    &prompt=admin_consent
Parameter Description
CLIENT-ID Client Id/Application Id
REDIRECT-URI Redirect URL you configured while registering application
RESOURCE-ID IMPORTANT Resource you want admin to grant consent for

For more information on parameters that can be passed check Azure AD documentation and Skype for Business Online documentation.

After signing-in to Azure (from your generated URL), Global Administrator will see this: AzureConsent01-AdminConsent

After an Global Administrator has granted the consent for your application to use the requested resources, your users will be able to login and use your application.