Problem with setting permissions

[htryggva]

Hi

I'm trying to implement the admin consent flow for this sample. The flow itself works fine but I'm unable to set the openid, email, profile, and offline_access scopes in the v2 registration portal at apps.dev.microsoft.com because they are not in the Delegated Permissions list.

How can I set these scopes for a v2 app?

Thanks :)

[gsacavdm]

You don't need to specify those in your app registration.
From https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes:

The v2.0 implementation of OpenID Connect has a few well-defined scopes that do not apply to a specific resource: openid, email, profile, and offline_access

[htryggva]

Thanks but this unfortunately does not answer my question.

I can request these scopes without any problems using the /tokens endpoint but my question is related to the admin consent. How can an admin consent to these scopes for all users of his organization so that not every user is presented with a consent screen?

This scenario was possible under the v1 endpoint BTW.

[MichielK]

@gsacavdm We seem to run into the same problem as htryggva :

• we have an registered an app in the v2 app portal with delegated permission 'User.Read' (among others)
• the tenant admin has given admin-consent for our app (thus, for scope 'User.Read')

Now, when another user signs in, we request 2 scopes: 'openid' & 'User.Read'. This user is presented a (user-)consent screen. This is not what we expected (we expected no user-consent-screen because of admin-consent).

The admin-consent page said the following:

[our app] needs permission to:
- Read files in all site collections (preview)  
- Read user calendars  
- Read calendars in all mailboxes  
- Read all users' full profiles  
- Read all users' basic profiles  
- Read all users' full profiles  
- Read all files that user can access  
- Sign in and read user profile

The user-consent page says the following:

[our app] needs permission to:
- Sign in as you
- Sign you in and read your profile

The Sign in as you permission on the user-consent-page is not present on the admin-consent-page (related to the openid-scope?).
In the readme.md of this project, it says:
Under Delegated Permissions, add the following permissions: [...], openid, [...].
But that is not available on the app-registration-page (any more?)

Can you help htryggva and me with this issue? (or maybe tell us who can help us with this issue?)

[MichielK]

To answer my own question:
We contacted Microsoft and got this reply:
[...] It seems like this is a missing item in the registration portal at present. While we work on fixing that, you can [...]
So there will be a fix in the feature.

[gsacavdm]

I looked into this, I'll need more time to confirm the behavoir, but the intended behavior is that you do not need to specify those permissions for admin consent - in particular openid (sign-in). They should be granted by default when you do admin permissions. This is specifically to @MichielK 's point of users getting prompted for consent after admin consent has occurred. If I can confirm repo on that, we'll file a bug.

[Zenuka]

I'm having the same issues; admin consent is given but all users are still asked for consent.
Any updates on this issue?

[Zenuka]

I just tried it again and everything seems to be working on my end. Maybe Microsoft fixed the issue? :-)

[andrew-melnyk]

any news about this issue?
@MichielK so what was the advice from Microsoft?

[jmprieur]

this has been fixed in the portal now. Closing the issue