After clicking on "authorize using your own account" and logged in with my work account (I'm a Microsoft employee, so I meant my Microsoft email), I got the error "OAuth Sandbox needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it."
I have contacted Microsoft IT, but they told me to contact the app owner here. Here is the details:
Request Id: 6462a541-01d1-4899-84f9-6b77c3423200
Correlation Id: 9e8d35bd-f719-4422-ab97-941680b32b58
Timestamp: 2019-01-25T00:40:25Z
Message: AADSTS900941: An administrator of Microsoft has set a policy that prevents you from granting OAuth Sandbox the permissions it is requesting. Contact an administrator of Microsoft who can grant permissions to this application on your behalf.
Advanced diagnostics: Disable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
I believe Microsoft IT is asking you to reach out to the app owner on stackoverflow.microsoft.com, not on the public stackoverflow site. You should delete this message.
You need to find the owner of that page, presumably the outlook team, and have them request Microsoft IT allow their AAD AppId 32613fc5-e7ac-4894-ac94-fbc39c9f3e4a.
Related
My application wants to access all users' mailboxes. For that, I am getting permission from Admin consent. Now I want to get the user details of the admin who consented to the application. I know we can't use Me context ('/me' API end-point) as we are getting consent without a signed-in user.
Is there any way by which we can get user details of the admin who consented to our application using the access token?
Thanks in advance.
To the best of my knowledge, the access token does not contain user details of the admin who consented to your application. One way to get this information is by viewing activity reports in the Azure portal. You might also consider working with the activity reports API provided by Microsoft Graph.
Please let me know whether this helps and if you have further questions.
I'm trying to create an iOS application that allows to read Office 365 user's email. So, I've created a multi-tendant Azure Active Directory Application and during OAuth authentication I request following scope: offline_access User.Read Mail.Read EWS.AccessAsUser.All.
Unfortunately when I try to log in as a non-admin Office 365 user, instead of showing permissions review dialog I get "%AppName% needs an administrator approval".
Could you please help me to figure out how could I avoid "Admin Approval Required" dialog?
Logging in via other email clients (I've tested Edison Mail) with the same scope and to the same account shows a grant dialog (no-one in the organisation has previously logged in to the app neither admin has previously approved it). If more details are needed I'll be happy to provide them!
Thank you in advance!
P.S. Leaving just offline_access User.Read in the scope actually shows grant dialog, but popular applications somehow can get all the required permissions at once...
Although the Mail.Read and EWS.AccessAsUser.All scopes do not require admin approval at the Graph API level, organisations can turn off the Office 365 user consent setting Let people in your organisation decide whether third-party apps can access their Office 365 information.
Security best practice recommends that this setting is turned off. If it is turned off one of two things will happen.
If admin consent workflow is enabled, then the user will get a form where they can submit a request for the app to be approved.
If admin consent workflow is not enabled, then they will see the "administrator approval required" message.
More information on user consent is available here
You will need to provide some guidance for users on getting their organisation to approve your app in the case where the user is unable to provide that consent themselves.
I am not sure why Edison Mail is working, although it is possible that its app registration has been whitelisted by Microsoft; I don't have access to the Office 365 admin portal to confirm.
My organization has an institutional e-mail account in Outlook 365.
There is a small number of users who are responsible for managing that mailbox, reading, answering, forwarding and sending messages from that account.
I am writing a web application (PHP) to automate some messaging operations, so I implemented access to that account using Microsoft Graph. But this requires to login using that account's credentials, and I wouldn't like to share account's password (which I have) with those users.
Is it possible to to grant permission for those users' accounts so MS-Graph will allow them to read/write/send messages from that account, once they have logged in? If so, how would it done?
If this post lacks some relevant information I'm not remembering now, please comment and I'll edit to add it.
Thank you very much.
You could use admin consent for that purpose. Administrator can grant access for the entire tenant, and users will not be prompted for consent afterwards
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant
My current application supports Microsoft and Google oAuth verification sign in. The idea is to give users the option of signing in with their personal accounts for ease of access. This is working fine with google, but AAD will only allow users with emails that end in the App ID URI domain to sign in
eg: App Id URI = someOrg.com/guid and their sign in = someUser#someOrg.com.
Attempting to sign in with a Microsoft account like an outlook or hotmail account redirects to a page saying
"We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later."
Is there a way to allow AAD to accept any Microsoft account in the login, or can it only accept users in a single domain?
Basics
Yes! Checkout https://aka.ms/aadv2. The v2 endpoint allows both personal Microsoft and Azure AD accounts to be signed in from a single app reg. You'll need to hit this special endpoint (can be done using the MSAL libraries) and setting your app audience in the Azure portal.
Details...
By default and using the following URLs (note the common piece):
https://login.microsoftonline.com/common/v2.0/authorize
https://login.microsoftonline.com/common/v2.0/token
If set to common, your app can sign in any domain and personal Microsoft accounts.
Other options
For the sake of covering everything, here's the other options:
common->organizations: Only allow Azure AD accounts
common->consumers: Only allow personal Microsoft accounts
common->[tenant_id]: Only allow accounts from the specified tenant
MSA as a guest
The edge case you may need to address is a personal Microsoft account added as a guest to an Azure AD tenant. When the user hits common, they'll be signed in as a personal Microsoft account; however, they may intend to sign into their domain. You can build around this by introducing a "enter your email" screen, then passing this as a hint to Microsoft via the common endpoint.
I have created an app in https://apps.dev.microsoft.com portal with name GroupsApp and I have given couple of permissions as below:
I have created client id and secret to use in my application. I am using asp.net MVC (with 4.5.1 .net framework) web application.
I am getting some groups info and displaying on the screen. If I am logged with my account it is working fine. But if I logged in as another user then it is giving me issue as below:
I have formatted url as below: https://login.microsoftonline.com/948894dc-c0e2-43e5-a7e6-1d21dd183c9d/oauth2/authorize?client_id=75acb700-e675-4dc4-9deb-d3f68f6911a1&response_type=code&redirect_uri=http://localhost:34280&prompt=admin_consent and trying to granted the permission. Here I have logged in as admin and given permissions.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
I could encounter the same issue according to your settings. I assumed that you may hit the Admin-restricted scopes of AAD v2.0 as follows:
Some high-privilege permissions in the Microsoft ecosystem can be set to admin-restricted. Examples of these kinds of scopes include the following permissions:
Read an organization's directory data by using Directory.Read
Write data to an organization's directory by using Directory.ReadWrite
Read security groups in an organization's directory by using Groups.Read.All
Although a consumer user might grant an application access to this kind of data, organizational users are restricted from granting access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they are not authorized to consent to your app's permissions.
You could Using the admin consent endpoint and follow this Build an app with admin restricted scopes using the v2.0 endpoint github code sample to ensure your app can gather permissions for all users in a tenant, including admin-restricted scopes.