search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.68k stars 2.65k forks source link

https://management.azure.com/user_impersonation and admin consent #1564

Closed snapfisher closed 4 years ago

snapfisher commented 4 years ago

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

Microsoft.Authentication.Webassembly.MSAL 3.2.0-preview5.20216.8

Framework

Blazor Wasm Preview 5

Description

Requesting consent for https://management.azure.com/user_impersonation brings up the dialog requiring admin consent. Yet the Azure portal specifically says that this delegated permission does not require admin consent. The blazor folks already looked through the code and said that they were just passing the argument through, and to "take it up with MSAL"

Security

Is this issue security related? NO

Regression

Did this behavior work before? UNKNOWN

Configuration

Please provide your MSAL configuration options.

        builder.Services.AddMsalAuthentication(options =>
        {
            builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
            options.ProviderOptions.DefaultAccessTokenScopes.Add("api://93d053a6-718a-4219-9674-cc5c5adfaac5/Profile.Read");
            options.ProviderOptions.AdditionalScopesToConsent.Add("https://management.azure.com/user_impersonation");
        });
// Provide configuration values here.
// For Azure B2C issues, please include your policies.

Reproduction steps

  1. Set up Program.cs with the above configuration. This will cause the admin consent dialog to appear at runtime.

Expected behavior

According to the Azure Portal, I should get the user consent dialog, which does not require an admin.

Browsers

No. But I am testing with Edge Chromium

jasonnutter commented 4 years ago

@snapfisher Is this for users in the first-party Microsoft tenant? If so, and this is a first-party Microsoft application, it needs to be registered in the first-party portal (instead of the public portal), which will remove that restriction.

See: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1094#issuecomment-552551088

snapfisher commented 4 years ago

Ah...we make things so difficult on ourselves (for creating an internal demo). Should this be a bug in the portal, where if the tenant is configured in this manner, the portal than tells you that you would need admin approval? That's really the issue, in that our behavior is distinctly the opposite of the portal where I selected the delgated permission.

jasonnutter commented 4 years ago

@snapfisher Potentially, however, that would only work for single-tenant apps, since I believe this restriction is specifically enforced for users from the MSFT first-party tenant, as opposed to apps registered in the MSFT first-party tenant (i.e. a user from another tenant using your app would not hit this permissions wall, and MSFT users will always hit this permissions wall regardless of where the app is registered).

For the purposes of your demo, I think you should be able to use a user from another tenant (e.g. a tenant you create), or if your app is single-tenant, create a new app registration in a new tenant and use a non-MSFT account.

Closing, as no further action for the library.