When you develop your own applications which use the Office 365 REST API, it might happen that users are facing the following error message when they try to authenticate, when your application is supposed to ask the consent of the user to access his data.
The difficult thing to understand is why this message is displayed and why all users are not concerned ?
Declare the application’s rights in Azure AD
When you create an application, you have to declare which rights are needed to access data when you make calls to the REST API.
Those rights are declared in Azure AD through the web console (https://manage.windowsazure.com) as you can see below.
Which is not indicated in the web console is that some of those rights need that an administrator (at the tenant level) give a consent to allow your application to use them.
If the consent of an administrator was not given and a non-administrator user tries to use the application, he will receive the following error message : AADSTS90093 – Calling principal cannot consent due to lack of permissions.
What permissions require an administrator consent ?
If you would like a complete description of how permissions work on Office 365, you could refer to the official documentation on MSDN : https://msdn.microsoft.com/office/office365/HowTo/application-manifest
In short if you want to know what permissions require an administrator consent, it depends of which product and which features you want to use.
You can find below a quick summary (grouped by products) of all the permissions which require an administrator consent. All other permissions (not listed below) only require a user consent.
SharePoint
- Have full control of all site collections
- Run search queries as a user
- Read user profiles
- Read and write user profiles
- Read managed metadata
- Read and write managed metadata
Outlook
No permission requires an administrator consent
Azure Active Directory
- Read all users’ full profiles
- Read directory data (except if the application is registered in the same tenant as the user)
- Read and write directory data
- Access the directory as the signed-in user (only for web applications)
Yammer
No permission requires an administrator consent
What to do if I encounter the error message ?
If you are facing to the error message mentioned previously, the first thing to do is to check if your application uses one of the permission in the list above.
If it’s the case, make sure that you absolutely need it, otherwise remove the right from the declared permissions for your application in Azure AD and it should solve the problem.
For example, you can perform searches on SharePoint sites under the identity of the current user, even if you only have the “Read items in all site collection” permission. It’s not needed to add the “Run search queries as a user” permission.
If you need the permission, you have to ask a tenant administrator to consent your application. Until the administrator consent, all users which are not administrators of the Office 365 tenant won’t be able to log-in and use your application.
Great article. I’m getting the same issue. I need the permission “Read directory data”, but how does the admin consent the application? Where do they go to do this? I see no options in the tenant administrators view?
LikeLike
Thanks for the blog, it save my days.
LikeLike
At this time, an administrator can only consent for web applications. If you are creating a native application (e.g. mobile application), there’s no way for an administrator to consent for all users and you’re limited on features you can use inside your application.
LikeLike
Thanks for the reply. My application is a web application. So how does the admin give consent? I have tried logging in as an admin first, but then when I log in as a non admin, the same error occurs – “AADSTS90093: Calling principal cannot consent due to lack of permissions.”. Thanks for any help
LikeLike
You can refer to this article (http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx) to understand how the authentication process work.
In short, you have to add a parameter named “prompt=admin_consent” when you acquire the authorization code (cf. “Step Two: Triggering user consent” in the article).
LikeLike
Thanks again for the quick response. I tried that, and adding the “prompt=admin_consent” works, but how is my app supposed to know whether to append the “prompt=admin_consent” or not? As I don’t know beforehand whether the current user is an admin or not. And if they are not, then they just end up with an ugly error page, of which I have no control over.
The only way around this I can think of, is to create 2 AAD apps, one with just “Enable sign-on and read users’ profiles”, which will be the generic login used for all users, and the other with both “Enable sign-on and read users’ profiles” and “Read directory data”, which will be used within the app from an “admin only” screen. But this feels like a workaround. Surely there’s a generic way of doing this?
Thanks for your replies btw – you’re a real help.
LikeLike
The most common and simple way to know if the user is an administrator or just a simple user, is to place a checkbox on the login of your web application. If the user select this option (e.g. I’m an administrator) then you add the parameter during the authorization process.
The admin consent is only required once. All subsequent accesses by any users (admins or not) know if the consent was given or not.
LikeLike
Thanks to this post I figured out something I’ve been stuck on for days
LikeLike
Thanks for this post, I am creating native application. I can authenticate using my sharepoint user (name@mytenant.onmicrosoft.com), But when I try to authenticate with outlook user (name@outlook.com) I get this error. Is there any possibility to authenticate with sharepoint using outlook user for native application?
LikeLike
Thanks for this post, I am creating native application. I can authenticate using my sharepoint user (name@mytenant.onmicrosoft.com), But when I try to authenticate with outlook user (name@outlook.com) I get this error (AADSTS65001). Is there any possibility to authenticate with sharepoint using outlook user for native application?
LikeLike