howlesmw on Fri, 09 Dec 2016 05:44:12

I've got an Azure WebApp (a headless API) and Active Directory App (which was created when setting up the WebApp).

I'm able to access the user consent page, login in, and Accept the consent form by logging in through:<tenant>/oauth2/authorize?client_id=<myADAppID>&response_type=code&resource=https://<mywebapi>

However, afterwards, I'm redirected to my site with the following error message:

AADSTS90008: The user or administrator has not consented to use the application with ID "<myADAppID>". This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least "Sign in and read user profile" permission.
Trace ID: 4749c198-13b4-45c6-a4dc-eafb033bff36
Correlation ID: 795d77f5-bb4b-46a3-9411-c258fb338c52
Timestamp: 2016-12-09 04:49:21Z

I have specified those permissions in the ADApp through the AzurePortal, and confirmed in the ADApp Manifest, but I continue to get this error.

[can't submit screenshot]


Neelesh Ray -MSFT on Fri, 09 Dec 2016 15:30:16


Kindly drop us an email: for the same mentioning the Thread URL.


howlesmw on Wed, 21 Dec 2016 04:49:51

Solved myself.

  1. Deleted all Required Access permissions. Added back only the Windows AAD permission for "Sign in and read user profile"
  2. I also had to change the reply url to
  3. And in my Startup.cs, and I commented out the line
    in the Startup.Configuration method
  4. In my WebApp in the Azure Portal, I changed the Auth configuration from using the Express option to the Advanced option, added in my app id, client key, and then I had to look up the proper Issuer Url
  5. Issuer Url came from AAD > App Registrations > Endpoints. Copy Url for FEDERATION METADATA DOCUMENT, paste it in a browser. In the EntityDescriptor tag, there is a property called entityID. Copy that value into the Issuer Url of the WebApp's Auth config.

That fixed my access issues.