Administrator Consent in Active Directory

Question

I think I\'m missing an understanding of a development process under Azure AD. I develop a web app, that is authenticated via AD in our corp network, and uses some of our servic

Answer 1

I agree the UX is not phenomenal on this one.

Just logging in as an admin is not enough. You have to be logging in with the prompt query parameter set to admin_consent. At least when using the OAuth endpoint.

So you need to hit a URL such as https://login.microsoftonline.com/common/oauth2/authorize?client_id=your-client-id&redirect_uri=your-encoded-reply-url&response_mode=form_post&response_type=code+id_token&prompt=admin_consent.

Replace your-client-id with your app's client id, and your-encoded-reply-url with a valid reply URL for your app. Also replace common with your tenant id/domain name if your app is not multi-tenant.

If you want to do it the easy way, use Vittorio's nifty form at his blog. Just enter the tenant id (or common), reply URL, and your app's client id, tick the admin consent checkbox and click Go.

And yes, you need to be an admin in Azure AD to do this, so ask your admin to do this.

EDIT: With the newest update to the Azure Portal came the ability to grant permissions from the portal directly.

If you go to Azure Active Directory in the new portal, find your app registration there and click Grant Permissions under the Required permissions blade.