azureauthenticationazure-ad-msalstreamlitmicrosoft-entra-id

Azure Entra ID - Requiring Admin Consent - How to avoid this


Created simple test application which will ask user to do Entra-id login and once user log-in show his/her display name and role using streamlit and python.

EntraId login URL is as: https://login.microsoftonline.com/[TenantID]/oauth2/v2.0/authorize?client_id=[ClientID]&response_type=code&redirect_uri=[MyLocalURL]&scope=User.Read+offline_access+openid+profile&state=[GUID]&nonce=[GUID]&prompt=select_account

Message we are getting:

enter image description here

Please allow me to share more details about settings as below:

In EntraId, did the app-registration and added api-permission as below enter image description here

Let me share enterprise application's settings :

enter image description here enter image description here enter image description here

With above settings also, we are still getting admin consent popup on customer's environment. As per beautiful answer provided here: now have few basic questions as below

  1. Is it mandatory that in "Permission Classification" blade we have to add "User.Read" permission ?
  2. If answer to above is yes, then there is concern about security as this setting will be applicable at tenant level, is it valid concern or this is the only way to resolve this ?
  3. Checked the URL(redirect url from my test app) in browser during redirect, it additionally includes [offline_access,openid,profile] is it mandatory to add those permission in API permission ?
  4. Any other area, which might be causing this admin consent popup

Solution

  • To avoid requiring the admin consent you have to either grant admin consent to the Microsoft Entra ID application or configure user consent in the tenant.

    Hence, to resolve the issue Go to Azure Portal -> Enterprise application -> Consent and permissions -> User consent settings -> Enable the option Allow user consent for apps -> Save

    enter image description here

    Now the user will be able to consent:

    enter image description here

    If the application resides in one tenant and user resides in another tenant, then the setting must be made in the tenant where the user resides.

    Reference:

    Admin consent for applications with permissions like User.Read or Notes.ReadWrite.All? : r/AZURE