Receiving AADSTS90094: The grant requires admin permission.
This post is to help provide guidance when receiving the error : AADSTS90094: The grant requires admin permission.
Typically this error is received when trying to get access to an AAD application registration. Please note that there are two different Microsoft application portals:
For details on the different application models, please visit the following link:
What's different about the v2.0 endpoint?
These different application models require different processes in order to resolve the AADSTS90094 error.
V1 Application Resolution
If you are using an AAD Application Registration under the URL portal.azure.com, then all that needs to be done is to click the "Grant Permissions" button.
NOTE: All application permissions require a tenant administrator to complete the consent process by clicking the "Grant Permissions" button.
To apply the permission scopes to the application, use the "Grant Permissions" button. If any of the permission scopes check in the Enable Access blade have Yes in the "REQUIRES ADMIN" column then a user with administrative permissions on the tenant will need to complete the consent process by clicking the "Grant Permissions" button.
This is also described in the article : https://docs.microsoft.com/en-us/azure/active-directory/application-dev-registration-config-grant-permissions-how-to
The link describes a second way to grant permissions.
V1 Application User Consent Disabled
Sometimes the tenant doesn’t allow users to consent for an application to access data on their behalf. This switch is shown in the picture below:
If the admin disabled users to be able to consent to allow third-party multi-tenant applications access their user profile data in the directory, the admins must consent to these applications before users may use them.
In this scenario, your app can require the users to provide the email of the admin of their tenant and send the admin-consent link to the admin.
Essentially in order to resolve the issue, you will have to get a global admin to generate the URL below. This is taken from the link : https://docs.microsoft.com/en-us/azure/active-directory/application-dev-registration-config-grant-permissions-how-to
You can construct a request to login.microsoftonline.com with your app configs and append on &prompt=admin_consent. After signing in with admin credentials, the app has been granted consent for all users.
So it would look like the below URL (replace with your app configs):
V1 Enterprise Application/ V1 Multi-tenant Applications Requiring Admin Consent
In order to grant admin consent to a multi-tenant application you have in your tenant you won't be able to press the grant permissions button since the Application Registration is in the creator's tenant where the original AAD Application Registration in. If you're receiving this error when trying to grant admin consent to a multi tenanted AAD Application you will need to get a global admin to grant admin consent on behalf of all the users in the tenant, following the same steps in the section before.
You will have to create this URL :
Replacing the fields respectively with your tenant ID, Client ID, Redirect URI, and resource. Please contact the main multi-tenant AAD Application owner for information on the resource URI, it can be found in the original AAD Application Registration's properties.
V2 Application Resolution
If you are using the https://myapps.microsoft.com portal, then you will need to utilize the adminconsent endpoint in order to properly grant admin consent for the v2 application model. This is described in the Microsoft Documentation at the following link:
We have now described some scenarios where AADSTS90094 error could occur. If one of these solutions does not resolve your issue please file a support ticket and one of our support engineers will reach out to you to help resolve your issue. Please have the following information in your support request:
- Fiddler trace if you can obtain one.
- Correlation ID or Request ID along with its associated timestamp. With most AADSTS* type errors, the correlation ID and timestamp is provided in the error body text.