Tag Archives: Exchange

AADSTS90093 – Calling principal cannot consent due to lack of permissions

10 Replies

When you develop your own applications which use the Office 365 REST API, it might happen that users are facing the following error message when they try to authenticate, when your application is supposed to ask the consent of the user to access his data.

AADSTS90093 - Authentication Error

The difficult thing to understand is why this message is displayed and why all users are not concerned ?

Declare the application’s rights in Azure AD

When you create an application, you have to declare which rights are needed to access data when you make calls to the REST API.

Those rights are declared in Azure AD through the web console (https://manage.windowsazure.com) as you can see below.

Azure Manage Portal - Application Permissions

Which is not indicated in the web console is that some of those rights need that an administrator (at the tenant level) give a consent to allow your application to use them.

If the consent of an administrator was not given and a non-administrator user tries to use the application, he will receive the following error message : AADSTS90093 – Calling principal cannot consent due to lack of permissions.

What permissions require an administrator consent ?

If you would like a complete description of how permissions work on Office 365, you could refer to the official documentation on MSDN : https://msdn.microsoft.com/office/office365/HowTo/application-manifest

In short if you want to know what permissions require an administrator consent, it depends of which product  and which features you want to use.

You can find below a quick summary (grouped by products) of all the permissions which require an administrator consent. All other permissions (not listed below) only require a user consent.

SharePoint

  • Have full control of all site collections
  • Run search queries as a user
  • Read user profiles
  • Read and write user profiles
  • Read managed metadata
  • Read and write managed metadata

Outlook

No permission requires an administrator consent

Azure Active Directory

  • Read all users’ full profiles
  • Read directory data (except if the application is registered in the same tenant as the user)
  • Read and write directory data
  • Access the directory as the signed-in user (only for web applications)

Yammer

No permission requires an administrator consent

What to do if I encounter the error message ?

If you are facing to the error message mentioned previously, the first thing to do is to check if your application uses one of the permission in the list above.

If it’s the case, make sure that you absolutely need it, otherwise remove the right from the declared permissions for your application in Azure AD and it should solve the problem.

For example, you can perform searches on SharePoint sites under the identity of the current user, even if you only have the “Read items in all site collection” permission. It’s not needed to add the “Run search queries as a user” permission.

If you need the permission, you have to ask a tenant administrator to consent your application. Until the administrator consent, all users which are not administrators of the Office 365 tenant won’t be able to log-in and use your application.

Introducing the new Office 365 unified API

Leave a reply

Build conference was held in San Francisco this week (from April 29th to May 1st) and it was the place to be because Microsoft made a lot of announcements around its ecosystem (Windows 10, Azure, HoloLens, Office 365…).

Among all the news annouced this week, we particularly appreciated the launch (in preview version for now) of the Office 365 unified API. Let’s take a look to this new API.

Why a new API ?

As you probably know, Office 365 offers a lot of features for companies who needs a directory, emails, instant messaging, collaboration, videos, search, social network…

Each of these features are offered by a dedicated product (Azure AD, Exchange, Lync, SharePoint, Yammer, OneDrive for Business…) and it was pretty complicated to develop solutions which are connected with all of them.

Indeed, each product has its own API, accessible through a dedicated endpoint :

It’s to simplify all of this, that the new Office 365 Unified API was created. It allows developers to create solutions which are able to reach the content of each product from a single endpoint.

Office365 Unified API

A single endpoint is more easy to use and it simplifies a lot of tasks such as managing authentication tokens (you need one access token for each endpoint when you use the actual Office 365 APIs).

This new API works like the actual APIs so to use it, you need to :

  • Register you app in Azure AD
  • Define permission scopes and security
  • Authenticate through OAuth 2.0

Office365 Unified API - Registration in Azure

To retrieve data from your tenant and after successful completion of the authentication process, you can send requests to the endpoint as you can see in the following examples.

Me (or other users)

Get information about the current user (the authenticated user) :

https://graph.microsoft.com/beta/me

Get the picture (of given dimensions) for the current user :

https://graph.microsoft.com/beta/me/userphotos/96X77

Get the manager, the subordinates or the groups for the current user :

https://graph.microsoft.com/beta/me/manager
https://graph.microsoft.com/beta/me/directReports
https://graph.microsoft.com/beta/me/memberOf

Get information about another user in your company’s directory  :

https://graph.microsoft.com/beta/contoso.com/users/demo@contoso.com
https://graph.microsoft.com/beta/contoso.com/users/demo@contoso.com/manager
https://graph.microsoft.com/beta/contoso.com/users/demo@contoso.com/memberOf

Messages

Get the email messages for the current user :

https://graph.microsoft.com/beta/me/messages

Get the last 5 message for the current user :

https://graph.microsoft.com/beta/me/messages?$top=5

Get the next 5 messages ordered by creation date :

https://graph.microsoft.com/beta/me/messages?$top=5&$skip=5&$orderby=DateTimeCreated

Calendar / Events

Get the events for the current user :

https://graph.microsoft.com/beta/me/events

Get the events for the current user between the start date and the end date:

https://graph.microsoft.com/beta/me/calendarview?startdatetime=2015-04-01t01:00:00z&enddatetime=2015-04-16t23:00:00z

SharePoint Files / OneDrive Files

Get OneDrive’s for Business files for the current user and get a specific file by using its ID :

https://graph.microsoft.com/beta/me/files
https://graph.microsoft.com/beta/me/files/<id>

Get OneDrive’s for Business files for a given user :

https://graph.microsoft.com/beta/demo@contoso.com/files

Groups

Get the groups (collaboration and not security/distribution) for your company :

https://graph.microsoft.com/beta/contoso.com/groups?$filter=groupType+eq+'Unified'

Get the members, the files, and the conversations for a group by using its ID :

https://graph.microsoft.com/beta/contoso.com/groups/<id>/members
https://graph.microsoft.com/beta/contoso.com/groups/<id>/files
https://graph.microsoft.com/beta/contoso.com/groups/<id>/conversations

Office Graph / Delve

Get the people with whom the current user work with :

https://graph.microsoft.com/beta/me/workingWith

Get the data (documents, email attachments…) which are trending around the current user :

https://graph.microsoft.com/beta/me/trendingAround

What’s coming next ?

In the examples presented in this article, we only saw how to get data but you are already able to perform CRUD operations as you can do it today with other dedicated endpoints.

It’s also good to note that Microsoft has updated its client libraries for .NET, iOS and Android to support the new unified API.

The Office 365 Unified API available today is just the first version (a preview version) and a lot of improvements will be available in the future. New data types will be added in the next few months.

Among some of the improvements already announced by Microsoft during the conference :

  • Tasks
  • Notes
  • Skype
  • Personal Contacts
  • Notifications
  • And much more…

Want to learn more and want to try it ?

The first thing to see if you want to discover the new API (this article was based on it) is the webcast of the session named “Supercharging Your Custom Solutions with the Office 365 Unified API Endpoint” which has been recorded during the Build conference. It’s available on Channel 9 : http://channel9.msdn.com/Events/Build/2015/3-641

If you want to learn more about the new Office 365 Unified API, you can also refer to the official documentation available at http://dev.office.com/unifiedAPIs.

Microsoft has also created/updated some websites if you want to try the new API directly from your web browser: