Hello!
After a short consultation with @AzureSupport it was suggested that I enter a question here so here's my shot:
We are developing an on-premises, non-interactive and non-gallery application that sends and receives data (among others) via Exchange Online Mail as a specific user.
For this to work we decided to use the password flow (so the user has control which postbox we are using without our application having access to anything else). Since we want to run this application on multiple customer installations we went with the "multi-tenant" option.
The issue we now have however is that upon requesting login for the user we get the errormessage:
AADSTS65001: The user or administrator has not consented to use the application with ID '<CLIENT_ID>' named '<Application Name>'. Send an interactive authorization request for this user and resource.
Trace ID: 6432af93-22a6-4591-82ae-3effa4db0b00
Correlation ID: fb481736-21eb-4dd2-a909-557d8294219e
Timestamp: 2021-07-30 08:34:26Z
https://stackoverflow.com/questions/56266148/aad-how-do-you-send-an-interactive-authorization-request-to-resolve-aadsts650 and
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
do not yield any useful input for us since they require us to either
- have a gallery-registered app which makes little sense for us
- require us to manually generate a consent url using information (the tenant id of the customer) we can't derive automatically, which in turn would require the customer to do fancy URL handling or giving us the extremely technical tenant id of his organization.
Is there any way for us to automatically trigger this consent request so that an administrator can comfortably allow access from the Portal? Or is there some way we don't need to ask for consent at all? (We only require Mail.read, Mail.sendWrite and User.read)
Our goal is to make the initialization process of the application for the customer as streamlined as possible (usually the persons managing and installing our software are not very technically savvy) and document a clear handover where this user then can go to his administrator and say "please consent to that application". Any way to achieve this?
Kind regards,
Johannes Frank