How can we improve Azure Active Directory?

Delegated permissions not working

I have registered an application at the application registration portal (apps.dev.microsoft.com) and configured it to use delegated permissions (specifically "Files.Read.All", "Sites.Read.All" and "User.Read") which are marked as "User can consent".
In one tenant (used for development) the app works exactly as expected, asking the user to consent in the first access. However, in the client environment (I registered another app in their tenant, with the exact same configurations), the user is not asked to consent the permissions, instead it is shown a message:
"{App name} needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it."
How is this possible if the permissions being asked are exactly the same in both scenarios?

3 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

Victor David Santos shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • AdminAzure AD Team (Software Engineer, Microsoft Azure) commented  ·   ·  Flag as inappropriate

    Hi Victor,

    It sounds like there is a difference in the way the tenants are set up. In one, the toggle for "Users can consent to apps accessing company data on their behalf" is likely set to no, meaning that no end user can consent to any 3rd party app. To allow users to consent, this toggle should be set to yes.

    Hope that helps!

Feedback and Knowledge Base