When you develop your own applications which use the Office 365 REST API, it might happen that users are facing the following error message when they try to authenticate, when your application is supposed to ask the consent of the user to access his data.
The difficult thing to understand is why this message is displayed and why all users are not concerned ?
Declare the application’s rights in Azure AD
When you create an application, you have to declare which rights are needed to access data when you make calls to the REST API.
Those rights are declared in Azure AD through the web console (https://manage.windowsazure.com) as you can see below.
Which is not indicated in the web console is that some of those rights need that an administrator (at the tenant level) give a consent to allow your application to use them.
If the consent of an administrator was not given and a non-administrator user tries to use the application, he will receive the following error message : AADSTS90093 – Calling principal cannot consent due to lack of permissions.
What permissions require an administrator consent ?
If you would like a complete description of how permissions work on Office 365, you could refer to the official documentation on MSDN : https://msdn.microsoft.com/office/office365/HowTo/application-manifest
In short if you want to know what permissions require an administrator consent, it depends of which product and which features you want to use.
You can find below a quick summary (grouped by products) of all the permissions which require an administrator consent. All other permissions (not listed below) only require a user consent.
SharePoint
- Have full control of all site collections
- Run search queries as a user
- Read user profiles
- Read and write user profiles
- Read managed metadata
- Read and write managed metadata
Outlook
No permission requires an administrator consent
Azure Active Directory
- Read all users’ full profiles
- Read directory data (except if the application is registered in the same tenant as the user)
- Read and write directory data
- Access the directory as the signed-in user (only for web applications)
Yammer
No permission requires an administrator consent
What to do if I encounter the error message ?
If you are facing to the error message mentioned previously, the first thing to do is to check if your application uses one of the permission in the list above.
If it’s the case, make sure that you absolutely need it, otherwise remove the right from the declared permissions for your application in Azure AD and it should solve the problem.
For example, you can perform searches on SharePoint sites under the identity of the current user, even if you only have the “Read items in all site collection” permission. It’s not needed to add the “Run search queries as a user” permission.
If you need the permission, you have to ask a tenant administrator to consent your application. Until the administrator consent, all users which are not administrators of the Office 365 tenant won’t be able to log-in and use your application.