I have made a web app that using Microsoft Graph api's. when we authenticate user using their personnel account then it work perfectly but when someone use their organizational account then error display which is
"AADSTS65001: The user or administrator has not consented to use the application with ID '29eb2e50-3e2b-45a4-9488-d9b08a34b6f0' named 'testing app'.
Send an interactive authorization request for this user and resource.
Trace ID: 4a665bcf-c19e-48f8-b5c2-056e61aa2d00
Correlation ID: 1ad728bb-6fa2-4f27-ae5e-215f580d2e9e
Timestamp: 2022-09-05 10:46:49Z","error_codes":[65001],"timestamp":"2022-09-05 10:46:49Z","trace_id":"4a665bcf-c19e-48f8-b5c2-056e61aa2d00","correlation_id":"1ad728bb-6fa2-4f27-ae5e-215f580d2e9e","suberror":"consent_required"}
now kindly let me know how can we resolve it. I have done all changes in our azure app which is provided by the internet but still the same error please let me know which permission I should add or which changes are made to resolve this issue thanks.
First, you need to be the administrator of the tenant (if you are not a tenant administrator, you cannot give the administrator permission), you can set up user roles according to Assign Azure AD roles.
1.Log in to https://portal.azure.com as a tenant administrator.
2.Open the registration of your application in the following location.
3.Go to settings and then the required permissions.
4.Press the grant permission button.
Check if the user or organizational account has the required permission granted as seen in the sample below.
Related
Regarding the AppSource submission, the docs state the following:
"You must provide at least two login credentials, one admin and one non-admin"
"For enterprise apps, apps where a subscription is required, or apps where there is an Office 365 tenant/domain dependency, you must provide a third account in the same domain that is not pre-configured for your app so that we can validate the first-run user experience."
For #1, our add-in does require external login and we will provide test credentials. However we don't have the concept of an "admin user" within the add-in. What exactly are we meant to provide for that?
For #2, our add-in will require that the user have an account with us (subscription?) what exactly do we need to provide? Another user of our system without access so it can be verified how that user experience is? A user will not be allowed to upgrade themselves but will be prompted to call our customer rep.
I've run into your first question: "You must provide at least two login credentials, one admin and one non-admin" as well with some confusion.
From what I can see this points to https://learn.microsoft.com/en-us/microsoftteams/using-admin-roles. They define a teams admin by the role "Teams Service Administrator". This can be added to an account here https://admin.microsoft.com/adminportal/home, I'd recommend a guest account.
Hopefully this helps.
I try to give new users in our domain access to our VSTS. We have MSDN enterprise subscriptions via MPN. The subscription is assigned and visible for the user if he logs in my.visualstudio.com with his work account. If the user tries to access the VSTS at [ourprojects].visualstudio.com he gets “VSTS login fails with 401 not authorized – [user] has multiple accounts associated with it. Your work or school account does not have access to [ourprojects].visualstudio.com, but your personal account does have access. “.
Signing in with the personal account as suggested by the error message leads to another error: “This Microsoft account does not exist.” This is correct. The account in charge is definitely a work account in Microsoft Azure Active Directory. So the first error message is somehow strange and leads into the wrong direction.
Our domain accounts are synchronized with Azure Active Directory (AAD). I can see the new users both in our domain and AAD. The user can login into my.visualstudio.com with his work account. So sync with Windows Server AD and AAD looks working correctly. MSDN assignment works, too.
Loggin into my.visualstudio.com redirects to the login page of our domain. thsi is corect and works fine. But this redirect does not take place loggin into VSTS.
For other older accounts in our domain VSTS access with work account works completely fine. Has anybody experienced similar problems?
Finally I talked to Microsoft support. It turned out that this VSTS account is not backed by Azure Active Directory. It has to be converted to do so.
To check if a Azure DevOps/VSTS account is backed by AAD, you can look in the settings page ("gears"->Settings) of Azure DevOps at the very bottom.
I am trying to configure Grafana for my organization. I was able to configure LDAP and MySQL database pretty easily but when I try to invite a new user to an org in Grafana, it always asks the user to join Grafana.
This would be an OK behavior if at that point Grafana would authenticate against LDAP. Instead, it creates a new user in its own database. This would lead to conflict with LDAP in case the user's AD passwords changes.
This works perfectly when a user had previously logged in to Grafana. An invite sent after would directly take the user to login page.
Is it possible to do the same in case the user is not already registered in Grafana? I really want to avoid saving user credentials in Grafana database.
Any help would be appreciated. Thanks.
I am not a Grafana expert, but looking through the source code on GitHub it certainly seems that new user registration will not go through LDAP. This is obvious in the LDAP related configuration file where you see the read-only credentials needed to look up users in the LDAP directory. A read-only administrator in LDAP will not be able to create new users as this would be necessary during a registration step. The code also indicates that registration creates temporary users in the internal store.
While implementing SSRS I am able to access the https://.com/reports and I am able to add new users and sys admins.
When a user that I have added as a sys admin tries to login the get the following error,
User 'DOMAIN\user' does not have required permissions. Verify that
sufficient permissions have been granted and Windows User Account
Control (UAC) restrictions have been addressed.
Although They are able to select Site Settings and Manage security settings they are still unable to see the home page.
I want to get started with the Office365 Unified API , so I decided to register a new web app to our azure directory.
In the section: "permissions to other applications" , I select Office365 unified API(preview)
I only get set delegated permission (I don't have all admin powers in our tenant), so I choose the ones I need (user profiles, sign-in , the exact number does not matter).
When I save the configuration I get the message
Could not update the configuration for app ""
Information tells me:
Unauthorized. You do not have sufficient permissions to access this resource.
The strange is , that when I log out and return to the application in the Azure Portal, I do see those modification in the configuration ?!
Finally when I try to call the REST endpoint (with valid Accesstoken etc..) I get this message:
{"error":"invalid_grant","error_description":"AADSTS65001: No permission to access user information is configured for 'f1299649-ea20-4cf6-9cd6-afb69d9b5760' application, or it is expired or revoked.\r\nTrace ID: 69ab1a6c-eeda-4351-8e1e-2b774c19a5a0\r\nCorrelation ID: 968a962e-d851-48bb-ad6f-3f05ea7b8efe\r\nTimestamp: 2015-06-18 20:12:15Z","error_codes":[65001],"timestamp":"2015-06-18 20:12:15Z","trace_id":"69ab1a6c-eeda-4351-8e1e-2b774c19a5a0","correlation_id":"968a962e-d851-48bb-ad6f-3f05ea7b8efe","submit_url":null,"context":null}
So maybe the Azure Portal UI is right the first time and those permissions where never stored with the app ?
the application details in https://portal.office.com/myapps tell me this:
Permissions
This app works with data in your documents. It will be able to:
Read directory data
Sign you in and read your profile
Read all users'basic profiles
Access the directory as you
Read directory data
Sign-in as you and read your profile
What would be the next step to take to get this to work ?
What is your app trying to do (in terms of access to users, groups etc)?
Access the directory as you is a permission that requires admin consent. The portal unfortunately has a bug that it appears as though you have the permission, but that's not true. That's because there are 2 elements here - configuring the permissions your app needs which drives the consent experience AND the consent grant. The portal (under the covers) tries to consent the app for the permissions it requires within the developer tenant. A non-admin in this case has permissions to update the app configuration, but not to consent for those permissions in their tenant.
Hope this helps,
It is impossible to set permissions to Office 365 Unified API for your application even if you are tenant administrator due to error. I have tried it. Remember that whole Unified API is in Preview mode so there will definitely be other errors.