I am setting up application registration on the Azure AD portal to use with my sample ASP.Net Core 2 web application. First, I want basic authentication to work. I configure this application to allow only one permission: "Log in and read the user profile", note that it does not require administrator permission:
However, when I launch my web application and try to authenticate with this client ID, I get the error message "AADSTS90094: administration permission":
You cannot access this application.
AspNetCoreAdAuth needs permission to access resources in your organization that only an administrator can provide. Please contact your administrator for permission to use this application before you can use it.
This is the URL that my application uses for authentication (with some confidential or irrelevant data):
https://login.microsoftonline.com/<my_tenant_id>/oauth2/authorize?client_id=<my_client_id>&redirect_uri=<my_redirect_uri>&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=<gibberish>&state=<giberrish>&x-client-SKU=ID_NET&x-client-ver=2.1.4.0
Most solutions on SO and elsewhere suggest just using the Grant Permissions button to get through this error. However
- As a developer, I do not have administrator rights.
- Asking the administrator to grant this permission to everyone, seems like a sledgehammer approach
- I would like to understand why this is happening or what I am doing wrong, what makes it work not how it seems to work.
?