Freigeben über


Receiving AADSTS90094: The grant requires admin permission.

Introduction

This post is to help provide guidance when receiving the error : AADSTS90094: The grant requires admin permission.

Typically this error is received when trying to get access to an AAD application registration. Please note that there are two different Microsoft application portals:

https://portal.azure.com  (v1 application portal) and the https://myapps.microsoft.com (v2 application portal).

For details on the different application models, please visit the following link:
What's different about the v2.0 endpoint?

 

These different application models require different processes in order to resolve the AADSTS90094 error.

 

V1 Application Resolution

If you are using an AAD Application Registration under the URL portal.azure.com,  then all that needs to be done is to click the "Grant Permissions" button.

 

image

 

To apply the permission scopes to the application, use the "Grant Permissions" button.  If any of the permission scopes check in the Enable Access blade have Yes in the "REQUIRES ADMIN" column then a user with administrative permissions on the tenant will need to complete the consent process by clicking the "Grant Permissions" button.

 

image

 

This is also described in the article : https://docs.microsoft.com/en-us/azure/active-directory/application-dev-registration-config-grant-permissions-how-to

 

The link describes a second way to grant permissions.

 

V1 Application User Consent Disabled

 

Sometimes the tenant doesn’t allow users to consent for an application to access data on their behalf. This switch is shown in the picture below:

image

 

If the admin disabled users to be able to consent to allow third-party multi-tenant applications access their user profile data in the directory, the admins must consent to these applications before users may use them.

In this scenario, your app can require the users to provide the email of the admin of their tenant and send the admin-consent link to the admin.

 

Essentially in order to resolve the issue, you will have to get a global admin to generate the URL below. This is taken from the link : https://docs.microsoft.com/en-us/azure/active-directory/application-dev-registration-config-grant-permissions-how-to

You can construct a request to login.microsoftonline.com with your app configs and append on &prompt=admin_consent. After signing in with admin credentials, the app has been granted consent for all users.

So it would look like the below URL (replace with your app configs):

 https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<Your-Redirect-URI-Https-Encoded>&nonce=1234&resource=<your-resource-Https-encoded>&prompt=admin_consent

V1 Enterprise Application/ V1 Multi-tenant Applications Requiring Admin Consent

In order to grant admin consent to a multi-tenant application you have in your tenant you won't be able to press the grant permissions button since the Application Registration is in the creator's tenant where the original AAD Application Registration in. If you're receiving this error when trying to grant admin consent to a multi tenanted AAD Application you will need to get a global admin to grant admin consent on behalf of all the users in the tenant, following the same steps in the section before.

You will have to create this URL :

https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<Your-Redirect-URI-Https-Encoded>&nonce=1234&resource=<your-resource-Https-encoded>&prompt=admin_consent

Replacing the fields respectively with your tenant ID, Client ID, Redirect URI, and resource. Please contact the main multi-tenant AAD Application owner for information on the resource URI, it can be found in the original AAD Application Registration's properties.

 

V2 Application Resolution

If you are using the https://myapps.microsoft.com portal, then you will need to utilize the adminconsent endpoint in order to properly grant admin consent for the v2 application model. This is  described in the Microsoft Documentation at the following link:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#using-the-admin-consent-endpoint

 

Conclusion

We have now described some scenarios where AADSTS90094 error could occur. If one of these solutions does not resolve your issue please file a support ticket and one of our support engineers will reach out to you to help resolve your issue.  Please have the following information in your support request:

  1. Fiddler trace if you can obtain one.
  2. Correlation ID or Request ID  along with its associated timestamp.  With most AADSTS* type errors, the correlation ID and timestamp is provided in the error body text.

Comments

  • Anonymous
    October 17, 2018
    Request Id: a938e271-0a47-42bd-b306-66361fc20200Correlation Id: 61f92ffc-9cce-42db-9414-0758cbb32a2aTimestamp: 2018-10-18T00:31:08ZMessage: AADSTS90094: An administrator of Microsoft has set a policy that prevents you from granting hua-java-1017 the permissions it is requesting. Contact an administrator of Microsoft who can grant permissions to this application on your behalf.Advanced diagnostics: DisableIf you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
    • Anonymous
      October 18, 2018
      Hello, please file a support ticket for azure active directory in order to work to resolve this issue with Microsoft Support. This will be the best way to work to resolve your issue.
    • Anonymous
      October 22, 2018
      Hi Hua Zhang,I am also facing same issue and similar error.Request Id: f2f125fb-232d-4772-bb44-579933646e00Correlation Id: 30b72119-5195-4095-8928-f6c49efe26b7Timestamp: 2018-10-22T06:33:28ZMessage: AADSTS90094: An administrator of Microsoft has set a policy that prevents you from granting [appName] the permissions it is requesting. Contact an administrator of Microsoft who can grant permissions to this application on your behalf.Advanced diagnostics: EnableIf you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
  • Anonymous
    October 23, 2018
    I am also getting the same error:Request Id: 5d0aba38-bb07-446e-85ba-417ddac72800 Correlation Id: 28407de8-20ca-4db1-9bb3-bd165d855156 Timestamp: 2018-10-24T06:03:45Z Message: AADSTS90094: An administrator of Microsoft has set a policy that prevents you from granting azuresupporttool the permissions it is requesting. Contact an administrator of Microsoft who can grant permissions to this application on your behalf.Advanced diagnostics: DisableIf you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
    • Anonymous
      October 24, 2018
      Hello, for all users getting this error, the reason you are getting this error is because your tenant has a policy that requires an Admin to grant permissions on behalf of your application. Please do not post all this information publicly. Instead engage with your respective company to get admin consent approved for your application.
      • Anonymous
        October 24, 2018
        Hello,I have customers receiving this error and they are unable to resolve it. I have watched them repeatedly use a global admin account to authorize the use of the add-in, checked their policy settings and EAC settings for plugins and nowhere can I see anything that would cause this error to continually pop up.
        • Anonymous
          October 24, 2018
          Hello, Please file a support ticket as there is something missing and requires further research. Have you clarified that they are using the right AAD Application ID and that it's in the v1.0 endpoint or the v2.0 endpoint?