You have a custom client and a custom API. There is an application registration in Azure AD for each of these apps, one for the custom client, and one for the custom API. You want your users to be able to bundle the consent for these apps. You might see one of the following errors… Step 1: Configure knownClientApplications for the API app registration First, you will need to add…
Read MoreThe identity of the calling application could not be established
You are getting the following error from Microsoft Graph or downstream services that uses Microsoft Graph… The identity of the calling application could not be established This error is thrown because the “oid” and “sub” claim is missing from the access token. This is because the servicePrincipal does not exist in the tenant or the tenant is not aware of the application. Partner Scenario If this is a Partner application,…
Read MoreUsing Microsoft Graph PowerShell SDK to manage user consented permissions
The oAuth2PermissionGrant object keeps a record of user consented permissions (Delegated Permissions) in a tenant. There is one OAuth2PermissionGrant object (identified by Consent ID) for each combination of client application, resource application, and user. The sample PowerShell script in this post will perform the following tasks: Remove all MS Graph Delegated permissions (if any) for the user Perform user consent for an initial set of MS Graph permission Update the…
Read MoreRevoke Admin Consent for a delegated permission on a Service Principal with the MS Graph PowerShell SDK
Scenario: You use the Microsoft Graph Explorer tool to test a query. It requires you to consent to a permission so you use your admin account to do this. However, you click the check box to consent for the entire organization… woops! You did not mean to give everyone permissions for “AuditLog.Read.All” so now you need to revoke this permission. The easiest way to revoke consent is to just delete…
Read MoreTroubleshooting consent in Azure AD
This is a general guide for troubleshooting consent in Azure AD. It will help resolve majority of the consent related scenarios (Not all of them). In general, the application is trying to sign-in or get an access token for a resource which has not been consented by the user or admin. In general, you want to make sure all of the permissions needed by the application have been consented to.…
Read Morereceiving error AADSTS50105: The signed in user ‘{EmailHidden}’ is not assigned to a role for the application
Problem: A tenant admin may receive the error “AADSTS50105: The signed in user ‘{EmailHidden}’ is not assigned to a role for the application…” when clicking on the “Grant Admin Consent” button in Azure AD’s App Registration portal as shown in the screen shot below: Why is this happening? This error typically happens when the Enterprise Application portion (or Service Principal) of the registered application has the setting ‘User Assignment Required’…
Read MoreAADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for ‘AAD Graph’ in the requested permissions in the client’s application registration.
Let’s get started… You are getting the following similar message… AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for ‘AAD Graph’ in the requested permissions in the client’s application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your…
Read More