Azure Active Directory登录：Web应用程序权限，未触发用户同意 [英] Azure Active Directory Login: Web App Permissions, User Consent not triggered

问题描述

我目前已经设置了一个AAD实例，并且正在通过我的Web应用对其进行身份验证，并且它的运行情况很好。

当我添加并配置了在AAD上的应用程序中，我添加了访问Office365 Calendar API所需的应用程序和委派权限。但是，唯一缺少的是，在登录流程期间，不会提示用户授予权限许可，因为这应该是我在您的文档中看到的：

您可以使用AAD PowerShell从租户中删除应用程序的服务主体。您可以在此处了解如何操作： https://msdn.microsoft .com / en-us / library / azure / dn194113.aspx

您可以让另一个租户的用户尝试登录到多租户应用程序。

您可以在非管理员帐户下创建应用程序。

我希望这会有所帮助！

Shawn Tabrizi

I have currently set up a AAD instance and I am authenticating my users against it via my web app, and it’s working great.

When I added and configured the application on AAD, I added the required Application and Delegated Permissions to access the Office365 Calendar API. However, the only thing that is missing is that during the login flow users aren’t being prompted to grant consent for the permissions, as it should happen from what I’ve read in your docs: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Consent

I’m not sure what I’m missing. Apparently, from the docs,

After the user has signed in, Azure AD will determine if the user needs to be shown a consent page. This determination is based on whether the user (or their organization’s administrator) has already granted the application consent. If consent has not already been granted, Azure AD will prompt the user for consent and will display the required permissions it needs to function. The set of permissions that is displayed in the consent dialog are the same as what was selected in the Permissions to other applications control in the Azure Management Portal.

So maybe somehow I have already probably implicitly granted admin consent for those permissions, but I don’t know how that happened.

I've attached the permissions I configured on the AAD App.

Any help would be appreciated.

解决方案

If an admin creates an application in their tenant using the AUX portal (manage.windowsazure.com), and requests permissions to other applications, then users in that same tenant are pre-consented for that application. Note this behavior is NOT true for our other App Registration Portals (portal.azure.com or identity.microsoft.com)

I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. If you would like to push the consent dialogue experience, there are a few different things you can do:

1. You can use query strings to prompt "consent" or "admin_consent" during login. Check here: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
2. You can delete the service principal for your application from your tenant using AAD PowerShell. You can learn how to do that here: https://msdn.microsoft.com/en-us/library/azure/dn194113.aspx
3. You can have a user from another tenant try to login to your multi-tenant application.
4. You can create your application under a non-admin account.

I hope this helps!

Shawn Tabrizi

这篇关于Azure Active Directory登录：Web应用程序权限，未触发用户同意的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！