question

DJGummikuh-1551 avatar image
0 Votes"
DJGummikuh-1551 asked DJGummikuh-1551 answered

How to trigger admin consent request as a non-gallery, native, non-interactive application with password

Hello!
After a short consultation with @AzureSupport it was suggested that I enter a question here so here's my shot:

We are developing an on-premises, non-interactive and non-gallery application that sends and receives data (among others) via Exchange Online Mail as a specific user.
For this to work we decided to use the password flow (so the user has control which postbox we are using without our application having access to anything else). Since we want to run this application on multiple customer installations we went with the "multi-tenant" option.

The issue we now have however is that upon requesting login for the user we get the errormessage:

 AADSTS65001: The user or administrator has not consented to use the application with ID '<CLIENT_ID>' named '<Application Name>'. Send an interactive authorization request for this user and resource.
 Trace ID: 6432af93-22a6-4591-82ae-3effa4db0b00
 Correlation ID: fb481736-21eb-4dd2-a909-557d8294219e
 Timestamp: 2021-07-30 08:34:26Z

https://stackoverflow.com/questions/56266148/aad-how-do-you-send-an-interactive-authorization-request-to-resolve-aadsts650 and
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
do not yield any useful input for us since they require us to either
- have a gallery-registered app which makes little sense for us
- require us to manually generate a consent url using information (the tenant id of the customer) we can't derive automatically, which in turn would require the customer to do fancy URL handling or giving us the extremely technical tenant id of his organization.

Is there any way for us to automatically trigger this consent request so that an administrator can comfortably allow access from the Portal? Or is there some way we don't need to ask for consent at all? (We only require Mail.read, Mail.sendWrite and User.read)

Our goal is to make the initialization process of the application for the customer as streamlined as possible (usually the persons managing and installing our software are not very technically savvy) and document a clear handover where this user then can go to his administrator and say "please consent to that application". Any way to achieve this?

Kind regards,
Johannes Frank

azure-ad-app-consent
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
2 Votes"
amanpreetsingh-msft answered

Hi @DJGummikuh-1551 · Thank you for reaching out.

With password flow, the best option you have is to construct the admin consent URL for granting tenant-wide consent, because in this case, the admin or the user must consent to the given scopes/permissions ahead of time.

You can construct this URL without having to derive the tenant id of the customer by using /organizations instead of /tenant-id as shown below:

  • https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=YOUR_APPLICATION_ID&scope=Mail.read Mail.sendWrite User.read

You can provide this exact URL to your customers and based on the domain name in the UPN suffix of the user they sign-n with, tenant discovery is done and the tenant wide consent will be provided for their tenant.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DJGummikuh-1551 avatar image
0 Votes"
DJGummikuh-1551 answered

Ok so having the URL that does not require the target customer's tenant ID changes everything! Thanks a lot, I now see a path forward here!

Kind regards,
Johannes Frank

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.