locked
Are Role-based permissions possible for multi-tenant applications?[re: "Access your organization's directory" delegated permission] RRS feed

  • Question

  • Hello,

    We're developing a multi-tenant application that requires access to the WAAD user's groups for role-based permissions. To that end, we have configured our Windows Azure AD app to be multi-tenant.

    I have found out that accessing users' groups through GraphConnection.GetMemberGroups requires the "Access your organization's directory" delegated permission.

    This seems to work fine for users in the WAAD application's directory tenant, however it doesn't seem possible to sign in with a user from another tenant directory and the sign in screen will show the following error message:

    AADSTS90093: Calling principal cannot consent due to lack of permissions.

    My question is therefore: is it possible to configure a multi-tenant WAAD app that has access to any user's groups? (provided the user gives consent, of course).

    Thank you,

    Raphael.


    Raphael Londner - www.riolinx.com

    Tuesday, November 18, 2014 1:31 AM

Answers

All replies

  • As a side note, the issue occurs with another tenant created in the Windows Azure Management Portal.

    It does work with a real Office365 tenant though (which isn't managed through the Azure account where both the app and the second tenant were created).


    Raphael Londner - www.riolinx.com

    Tuesday, November 18, 2014 1:44 AM
  • Hi Raphael,

    Apologies for addressing this issue so late.

    It appears to be an issue with user permissions. I assume that the user in question does not have rights to give consent to the permission that your client_id(app/website) requires.

    Refer this link - http://stackoverflow.com/questions/24707612/authentication-and-permissions-errors-in-o365-consent-flow

    You may try the solution proposed in this link -http://stackoverflow.com/questions/25619264/login-to-office-365-programmatically-with-different-tenant-in-windows-store-deve

    Hope this helps!

    If you need further assistance, please write back with details.

    Best Regards,

    Sadiqh Ahmed

    Friday, December 5, 2014 6:50 PM
  • I'm marking the above post as answer. Please write back or create a new forum post if you need further assistance.

    Regards,

    Sadiqh Ahmed

    Tuesday, December 9, 2014 3:14 PM
  • Hi Sadiqh,

    Thank you for your response. I haven't had the time to test out your suggestions or verify your assumptions, but will shortly do so and get back to you.

    Thanks in advance for your patience!

    Raphael.


    Raphael Londner

    Tuesday, December 9, 2014 7:30 PM
  • Hi Sadiqh,

    It looks like the error occurs as soon as my WAAD app requires the 'Read directory data' delegated permission (on top of the 'Enable sign-on and read users' profiles' delegated permission).

    What am I doing wrong here? I have checked that 'Users may give applications permission to access their data' is enabled for the WAAD tenant of the user who gets the error and I haven't found a way to explicitly enable that permission on all the users in the tenant.

    Is there something I am missing here?

    Thanks in advance for your feedback,

    Raphael.


    Raphael Londner - www.riolinx.com

    Thursday, December 11, 2014 9:45 AM
  • Hi Raphael,

    The "Read directory data" permission requires an admin to consent to it.  Please see http://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Graph for the set of permission scopes exposed by Graph API, and whethr they may be consented to by a user, or require an admin to consent.

    Hope this helps...


    Dan Kershaw [msft]

    Saturday, December 13, 2014 11:52 PM
  • Hi Dan,

    Apologies for the late response. I have now revisited the issue at stake and I confirm that if the user is a tenant administrator, then he can approve the app and complete the sign-in process. However, a "standard" user (in that same tenant) still can sign in after the tenant administrator approved the app, with the same error:

    AADSTS90093: Calling principal cannot consent due to lack of permissions.

    Does this mean that applications that require the "Read directory data" can only used tenant administrators? My understanding was that once a tenant admin had approved the app, other users part of the same tenant could subsequently use the app as well. Is this not the case?

    Thanks in advance for your help and I apologize again for the late feedback.

    Regards,

    Raphael.


    Raphael Londner - www.riolinx.com

    Thursday, January 22, 2015 1:09 AM