none
AADSTS50020: Calling principal cannot consent RRS feed

  • Question

  • Hi,

    I have a problem with using office 365 api to authenticate user.
    Once a normal user (not admin) try to login, it will show error:


    Sorry, but we’re having trouble signing you in.
    We received a bad request.

    Additional technical information:
    Correlation ID: 394eb8eb-4b16-4a9b-b3ea-054467c87e58
    Timestamp: 2014-10-03 07:11:41Z
    AADSTS50020: Calling principal cannot consent due to lack of permissions.

    I did a research online, found this article, but it can't solve my problem.

    http://blogs.msdn.com/b/exchangedev/archive/2014/06/05/managing-user-consent-for-applications-using-office-365-apis.aspx

    I checked it and found that it allows User Consent.

    Do you have other solution to solve this issue?




    • Edited by lawrencewong Friday, October 3, 2014 8:02 AM
    • Moved by George Hua Monday, October 6, 2014 2:52 AM Moved from apps for Office forum
    Friday, October 3, 2014 7:41 AM

Answers

All replies

  • Hi,

    Thanks for your information.

    This forum is used to discuss questions about apps for Office.

    From your description, I have moved this thread to Exchange Server Development forum since the issue is more related to Exchange.

    Thanks for your understanding.

    Regards,

    George.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, October 6, 2014 2:52 AM
  • Hi,

    Can anyone help to solve this issue?
    Wednesday, October 8, 2014 6:39 AM
  • Having same problem. Can anyone help?

    Regards

    Wednesday, February 11, 2015 7:18 PM
  • There's a couple of possibilities here. One is that the organization admin for the user that's signing in has disabled the ability for users to consent to apps. The organization admin can check this via PowerShell:

    Get-MsolCompanyInformation | fl DisplayName,UsersPermissionToUserConsentToAppEnabled

    If the value for UsersPermissionToUserConsentToAppEnable is false, then that's the problem. If it's true, then the other thing to check is that your app is not requesting admin consent. This is done by including "prompt=admin_consent" in your authorize URL.

    If the admin has not disabled user consent, and you are not requesting admin consent in your authorize URL, please post your error text (with timestamp and correlation ID) and I'll ask the Azure guys to look at it.

    Thursday, February 12, 2015 2:54 PM
    Moderator
  • Hi Jason, I think you mean this setting? (it was already enabled)

    Strange is that with the same user(who is not and admin) I was able to authenticate for the "OneDrive for Business" use on the Windows Phone OneDrive app without issues (I want this same thing for my app).

    This is the error I get (even using admin_consent):

    Correlation ID: 5eacb825-ac58-45db-84bd-76ab1e135d21 
    Timestamp: 2015-02-12 16:55:29Z 
    AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators. 


    Regards


    • Edited by Jandieg Thursday, February 12, 2015 5:00 PM typo
    Thursday, February 12, 2015 4:59 PM
  • If you use admin_consent, only admins can log in. So you don't want to use that flag if your intent is to let normal users consent for their own data.

    What permissions have you configured in your app registration?

    • Proposed as answer by Jandieg Friday, February 13, 2015 6:39 AM
    Thursday, February 12, 2015 6:38 PM
    Moderator
  • I had Application Permissions="Read directory data", but after unchecking it now works.

    Thank you!


    Regards

    Friday, February 13, 2015 6:38 AM
  • Yep. That Azure permission requires an administrator.
    Friday, February 13, 2015 2:34 PM
    Moderator