none
Receiving a AADSTS90008 error, despite having correct application permissions

    Question

  • I've got an Azure WebApp (a headless API) and Active Directory App (which was created when setting up the WebApp).

    I'm able to access the user consent page, login in, and Accept the consent form by logging in through:

    https://login.microsoftonline.com/<tenant>/oauth2/authorize?client_id=<myADAppID>&response_type=code&resource=https://<mywebapi>.azurewebsites.net

    However, afterwards, I'm redirected to my site with the following error message:

    AADSTS90008: The user or administrator has not consented to use the application with ID "<myADAppID>". This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least "Sign in and read user profile" permission.
    Trace ID: 4749c198-13b4-45c6-a4dc-eafb033bff36
    Correlation ID: 795d77f5-bb4b-46a3-9411-c258fb338c52
    Timestamp: 2016-12-09 04:49:21Z

    I have specified those permissions in the ADApp through the AzurePortal, and confirmed in the ADApp Manifest, but I continue to get this error.

    [can't submit screenshot]

    • Edited by howlesmw Friday, December 9, 2016 5:46 AM
    Friday, December 9, 2016 5:44 AM

Answers

  • Solved myself.

    1. Deleted all Required Access permissions. Added back only the Windows AAD permission for "Sign in and read user profile"
    2. I also had to change the reply url to
      https://<mywebapi>.azurewebsites.net/.auth/login/aad/callback
    3. And in my Startup.cs, and I commented out the line
      ConfigureAuth(app);
      in the Startup.Configuration method
    4. In my WebApp in the Azure Portal, I changed the Auth configuration from using the Express option to the Advanced option, added in my app id, client key, and then I had to look up the proper Issuer Url
    5. Issuer Url came from AAD > App Registrations > Endpoints. Copy Url for FEDERATION METADATA DOCUMENT, paste it in a browser. In the EntityDescriptor tag, there is a property called entityID. Copy that value into the Issuer Url of the WebApp's Auth config.

    That fixed my access issues.

    • Marked as answer by howlesmw Wednesday, December 21, 2016 4:49 AM
    Wednesday, December 21, 2016 4:49 AM

All replies

  • Hello,

    Kindly drop us an email:  AADForumSupport@microsoft.com for the same mentioning the Thread URL.

    Regards,
    Neelesh

    Friday, December 9, 2016 3:30 PM
    Moderator
  • Solved myself.

    1. Deleted all Required Access permissions. Added back only the Windows AAD permission for "Sign in and read user profile"
    2. I also had to change the reply url to
      https://<mywebapi>.azurewebsites.net/.auth/login/aad/callback
    3. And in my Startup.cs, and I commented out the line
      ConfigureAuth(app);
      in the Startup.Configuration method
    4. In my WebApp in the Azure Portal, I changed the Auth configuration from using the Express option to the Advanced option, added in my app id, client key, and then I had to look up the proper Issuer Url
    5. Issuer Url came from AAD > App Registrations > Endpoints. Copy Url for FEDERATION METADATA DOCUMENT, paste it in a browser. In the EntityDescriptor tag, there is a property called entityID. Copy that value into the Issuer Url of the WebApp's Auth config.

    That fixed my access issues.

    • Marked as answer by howlesmw Wednesday, December 21, 2016 4:49 AM
    Wednesday, December 21, 2016 4:49 AM