Introduction
This post is to help provide guidance when receiving the error : AADSTS90094: The grant requires admin permission.
Typically this error is received when trying to get access to an AAD application registration. Please note that there are two different Microsoft application portals:
https://portal.azure.com (v1 application portal) and the https://myapps.microsoft.com (v2 application portal).
For details on the different application models, please visit the following link:
What’s different about the v2.0 endpoint?
These different application models require different processes in order to resolve the AADSTS90094 error.
V1 Application Resolution
If you are using an AAD Application Registration under the URL portal.azure.com, then all that needs to be done is to click the “Grant Permissions” button.
NOTE: All application permissions require a tenant administrator to complete the consent process by clicking the “Grant Permissions” button.
To apply the permission scopes to the application, use the “Grant Permissions” button. If any of the permission scopes check in the Enable Access blade have Yes in the “REQUIRES ADMIN” column then a user with administrative permissions on the tenant will need to complete the consent process by clicking the “Grant Permissions” button.
This is also described in the article : https://docs.microsoft.com/en-us/azure/active-directory/application-dev-registration-config-grant-permissions-how-to
The link describes a second way to grant permissions.
V1 Application User Consent Disabled
Sometimes the tenant doesn’t allow users to consent for an application to access data on their behalf. This switch is shown in the picture below:
If the admin disabled users to be able to consent to allow third-party multi-tenant applications access their user profile data in the directory, the admins must consent to these applications before users may use them.
In this scenario, your app can require the users to provide the email of the admin of their tenant and send the admin-consent link to the admin.
Essentially in order to resolve the issue, you will have to get a global admin to generate the URL below. This is taken from the link : https://docs.microsoft.com/en-us/azure/active-directory/application-dev-registration-config-grant-permissions-how-to
You can construct a request to login.microsoftonline.com with your app configs and append on &prompt=admin_consent. After signing in with admin credentials, the app has been granted consent for all users.
So it would look like the below URL (replace with your app configs):
https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<Your-Redirect-URI-Https-Encoded>&nonce=1234&resource=<your-resource-Https-encoded>&prompt=admin_consentV1 Enterprise Application/ V1 Multi-tenant Applications Requiring Admin Consent
In order to grant admin consent to a multi-tenant application you have in your tenant you won’t be able to press the grant permissions button since the Application Registration is in the creator’s tenant where the original AAD Application Registration in. If you’re receiving this error when trying to grant admin consent to a multi tenanted AAD Application you will need to get a global admin to grant admin consent on behalf of all the users in the tenant, following the same steps in the section before.
You will have to create this URL :
https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<Your-Redirect-URI-Https-Encoded>&nonce=1234&resource=<your-resource-Https-encoded>&prompt=admin_consent
Replacing the fields respectively with your tenant ID, Client ID, Redirect URI, and resource. Please contact the main multi-tenant AAD Application owner for information on the resource URI, it can be found in the original AAD Application Registration’s properties.
V2 Application Resolution
If you are using the https://myapps.microsoft.com portal, then you will need to utilize the adminconsent endpoint in order to properly grant admin consent for the v2 application model. This is described in the Microsoft Documentation at the following link:
Conclusion
We have now described some scenarios where AADSTS90094 error could occur. If one of these solutions does not resolve your issue please file a support ticket and one of our support engineers will reach out to you to help resolve your issue. Please have the following information in your support request:
- Fiddler trace if you can obtain one.
- Correlation ID or Request ID along with its associated timestamp. With most AADSTS* type errors, the correlation ID and timestamp is provided in the error body text.
Request Id: a938e271-0a47-42bd-b306-66361fc20200
Correlation Id: 61f92ffc-9cce-42db-9414-0758cbb32a2a
Timestamp: 2018-10-18T00:31:08Z
Message: AADSTS90094: An administrator of Microsoft has set a policy that prevents you from granting hua-java-1017 the permissions it is requesting. Contact an administrator of Microsoft who can grant permissions to this application on your behalf.
Advanced diagnostics: Disable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
Hello, please file a support ticket for azure active directory in order to work to resolve this issue with Microsoft Support. This will be the best way to work to resolve your issue.
Hi Hua Zhang,
I am also facing same issue and similar error.
Request Id: f2f125fb-232d-4772-bb44-579933646e00
Correlation Id: 30b72119-5195-4095-8928-f6c49efe26b7
Timestamp: 2018-10-22T06:33:28Z
Message: AADSTS90094: An administrator of Microsoft has set a policy that prevents you from granting [appName] the permissions it is requesting. Contact an administrator of Microsoft who can grant permissions to this application on your behalf.
Advanced diagnostics: Enable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
I am also getting the same error:
Request Id: 5d0aba38-bb07-446e-85ba-417ddac72800
Correlation Id: 28407de8-20ca-4db1-9bb3-bd165d855156
Timestamp: 2018-10-24T06:03:45Z
Message: AADSTS90094: An administrator of Microsoft has set a policy that prevents you from granting azuresupporttool the permissions it is requesting. Contact an administrator of Microsoft who can grant permissions to this application on your behalf.
Advanced diagnostics: Disable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
Hello, for all users getting this error, the reason you are getting this error is because your tenant has a policy that requires an Admin to grant permissions on behalf of your application. Please do not post all this information publicly. Instead engage with your respective company to get admin consent approved for your application.
Hello,
I have customers receiving this error and they are unable to resolve it. I have watched them repeatedly use a global admin account to authorize the use of the add-in, checked their policy settings and EAC settings for plugins and nowhere can I see anything that would cause this error to continually pop up.
Hello, Please file a support ticket as there is something missing and requires further research. Have you clarified that they are using the right AAD Application ID and that it’s in the v1.0 endpoint or the v2.0 endpoint?
I am also getting the same error:
Request Id: 5d0aba38-bb07-446e-85ba-417ddac72800
Correlation Id: 28407de8-20ca-4db1-9bb3-bd165d855156
Timestamp: 2018-10-24T06:03:45Z
Message: AADSTS90094: An administrator of Microsoft has set a policy that prevents you from granting azuresupporttool the permissions it is requesting. Contact an administrator of Microsoft who can grant permissions to this application on your behalf.
Advanced diagnostics: Disable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
Hello, for all users getting this error, the reason you are getting this error is because your tenant has a policy that requires an Admin to grant permissions on behalf of your application. Please do not post all this information publicly. Instead engage with your respective company to get admin consent approved for your application.
Hello,
I have customers receiving this error and they are unable to resolve it. I have watched them repeatedly use a global admin account to authorize the use of the add-in, checked their policy settings and EAC settings for plugins and nowhere can I see anything that would cause this error to continually pop up.
Hello, Please file a support ticket as there is something missing and requires further research. Have you clarified that they are using the right AAD Application ID and that it’s in the v1.0 endpoint or the v2.0 endpoint?