[Question] Microsoft OpenID Admin Consent

ryanjmclaughlin · January 22, 2019, 3:30pm

I am working on setting up an OpenID provider. I was having some issues before so I deleted the provider and re-created with the 1/18 build.

When testing the login I am getting a message from Microsoft that the App needs admin consent… what is Ignition attempting to request here? In an earlier build this did not come up.

Need admin approval

Ignition needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

Message: AADSTS900941: An administrator has set a policy that prevents you from granting Ignition the permissions it is requesting. Contact an administrator who can grant permissions to this application on your behalf.

jspecht · January 22, 2019, 4:35pm

Hi @ryanjmclaughlin -

Ignition requests the openid scope in addition to any scopes you specify in your IdP config. Like the message says - you may need to adjust your policies on your IdP.

You are using Azure AD right? You may need to click the button below:

jspecht · January 22, 2019, 4:45pm

I found this API permissions best practices document for Azure AD which may help: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-permissions-and-consent

ryanjmclaughlin · January 22, 2019, 7:06pm

Thanks, was able to get one of our admins to enable that.