AADSTS90093 – Calling principal cannot consent due to lack of permissions

When you develop your own applications which use the Office 365 REST API, it might happen that users are facing the following error message when they try to authenticate, when your application is supposed to ask the consent of the user to access his data.

AADSTS90093 - Authentication Error

The difficult thing to understand is why this message is displayed and why all users are not concerned ?

Declare the application’s rights in Azure AD

When you create an application, you have to declare which rights are needed to access data when you make calls to the REST API.

Those rights are declared in Azure AD through the web console (https://manage.windowsazure.com) as you can see below.

Azure Manage Portal - Application Permissions

Which is not indicated in the web console is that some of those rights need that an administrator (at the tenant level) give a consent to allow your application to use them.

If the consent of an administrator was not given and a non-administrator user tries to use the application, he will receive the following error message : AADSTS90093 – Calling principal cannot consent due to lack of permissions.

What permissions require an administrator consent ?

If you would like a complete description of how permissions work on Office 365, you could refer to the official documentation on MSDN : https://msdn.microsoft.com/office/office365/HowTo/application-manifest

In short if you want to know what permissions require an administrator consent, it depends of which product  and which features you want to use.

You can find below a quick summary (grouped by products) of all the permissions which require an administrator consent. All other permissions (not listed below) only require a user consent.

SharePoint

  • Have full control of all site collections
  • Run search queries as a user
  • Read user profiles
  • Read and write user profiles
  • Read managed metadata
  • Read and write managed metadata

Outlook

No permission requires an administrator consent

Azure Active Directory

  • Read all users’ full profiles
  • Read directory data (except if the application is registered in the same tenant as the user)
  • Read and write directory data
  • Access the directory as the signed-in user (only for web applications)

Yammer

No permission requires an administrator consent

What to do if I encounter the error message ?

If you are facing to the error message mentioned previously, the first thing to do is to check if your application uses one of the permission in the list above.

If it’s the case, make sure that you absolutely need it, otherwise remove the right from the declared permissions for your application in Azure AD and it should solve the problem.

For example, you can perform searches on SharePoint sites under the identity of the current user, even if you only have the “Read items in all site collection” permission. It’s not needed to add the “Run search queries as a user” permission.

If you need the permission, you have to ask a tenant administrator to consent your application. Until the administrator consent, all users which are not administrators of the Office 365 tenant won’t be able to log-in and use your application.

Advertisements

10 thoughts on “AADSTS90093 – Calling principal cannot consent due to lack of permissions

  1. Gwyn Howell

    Great article. I’m getting the same issue. I need the permission “Read directory data”, but how does the admin consent the application? Where do they go to do this? I see no options in the tenant administrators view?

    Like

    Reply
  2. Stéphane Cordonnier (@s_cordonnier) Post author

    At this time, an administrator can only consent for web applications. If you are creating a native application (e.g. mobile application), there’s no way for an administrator to consent for all users and you’re limited on features you can use inside your application.

    Like

    Reply
    1. Gwyn Howell

      Thanks for the reply. My application is a web application. So how does the admin give consent? I have tried logging in as an admin first, but then when I log in as a non admin, the same error occurs – “AADSTS90093: Calling principal cannot consent due to lack of permissions.”. Thanks for any help

      Like

      Reply
  3. Gwyn Howell

    Thanks again for the quick response. I tried that, and adding the “prompt=admin_consent” works, but how is my app supposed to know whether to append the “prompt=admin_consent” or not? As I don’t know beforehand whether the current user is an admin or not. And if they are not, then they just end up with an ugly error page, of which I have no control over.

    The only way around this I can think of, is to create 2 AAD apps, one with just “Enable sign-on and read users’ profiles”, which will be the generic login used for all users, and the other with both “Enable sign-on and read users’ profiles” and “Read directory data”, which will be used within the app from an “admin only” screen. But this feels like a workaround. Surely there’s a generic way of doing this?

    Thanks for your replies btw – you’re a real help.

    Like

    Reply
    1. Stéphane Cordonnier (@s_cordonnier) Post author

      The most common and simple way to know if the user is an administrator or just a simple user, is to place a checkbox on the login of your web application. If the user select this option (e.g. I’m an administrator) then you add the parameter during the authorization process.

      The admin consent is only required once. All subsequent accesses by any users (admins or not) know if the consent was given or not.

      Like

      Reply
  4. Samaludheen

    Thanks for this post, I am creating native application. I can authenticate using my sharepoint user (name@mytenant.onmicrosoft.com), But when I try to authenticate with outlook user (name@outlook.com) I get this error. Is there any possibility to authenticate with sharepoint using outlook user for native application?

    Like

    Reply
  5. Samaludheen

    Thanks for this post, I am creating native application. I can authenticate using my sharepoint user (name@mytenant.onmicrosoft.com), But when I try to authenticate with outlook user (name@outlook.com) I get this error (AADSTS65001). Is there any possibility to authenticate with sharepoint using outlook user for native application?

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s