Question

howlesmw on Fri, 09 Dec 2016 05:44:12


I've got an Azure WebApp (a headless API) and Active Directory App (which was created when setting up the WebApp).

I'm able to access the user consent page, login in, and Accept the consent form by logging in through:

https://login.microsoftonline.com/<tenant>/oauth2/authorize?client_id=<myADAppID>&response_type=code&resource=https://<mywebapi>.azurewebsites.net

However, afterwards, I'm redirected to my site with the following error message:

AADSTS90008: The user or administrator has not consented to use the application with ID "<myADAppID>". This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least "Sign in and read user profile" permission.
Trace ID: 4749c198-13b4-45c6-a4dc-eafb033bff36
Correlation ID: 795d77f5-bb4b-46a3-9411-c258fb338c52
Timestamp: 2016-12-09 04:49:21Z

I have specified those permissions in the ADApp through the AzurePortal, and confirmed in the ADApp Manifest, but I continue to get this error.

[can't submit screenshot]


Sponsored



Replies

Neelesh Ray on Fri, 09 Dec 2016 15:30:16


Hello,

Kindly drop us an email:  AADForumSupport@microsoft.com for the same mentioning the Thread URL.

Regards,
Neelesh

howlesmw on Wed, 21 Dec 2016 04:49:51


Solved myself.

  1. Deleted all Required Access permissions. Added back only the Windows AAD permission for "Sign in and read user profile"
  2. I also had to change the reply url to
    https://<mywebapi>.azurewebsites.net/.auth/login/aad/callback
  3. And in my Startup.cs, and I commented out the line
    ConfigureAuth(app);
    in the Startup.Configuration method
  4. In my WebApp in the Azure Portal, I changed the Auth configuration from using the Express option to the Advanced option, added in my app id, client key, and then I had to look up the proper Issuer Url
  5. Issuer Url came from AAD > App Registrations > Endpoints. Copy Url for FEDERATION METADATA DOCUMENT, paste it in a browser. In the EntityDescriptor tag, there is a property called entityID. Copy that value into the Issuer Url of the WebApp's Auth config.

That fixed my access issues.