spring boot - Admin constent still asked although already configured?

Question

I am trying to use office365 though OAuth for authenticating and authorizing users in my organisation for a Spring boot application. I am using the spring-boot-starter for active-directory, and have followed the tutorial by microsoft at https://docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory

Summarized, the tutorial basically consists of a single class, defining a few endpoints:

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.security.access.prepost.PreAuthorize;

@RestController
public class HelloController {

   @GetMapping("executive")
   @ResponseBody
   @PreAuthorize("hasRole('ROLE_executive')")
   public String executive() {
      return "Hello Executive!";
   }

   @GetMapping("employees")
   @ResponseBody
   @PreAuthorize("hasRole('ROLE_employees')")
   public String employees() {
      return "Hello Employee!";
   }
}

The groups executive and employees are two office365 groups with a number of members. In the application.config, I have listed both groups:

# Specifies the list of Active Directory groups to use for authorization:
azure.activedirectory.user-group.allowed-groups=employees, executive

In addition, I have granted admin consent in the azure ad portal for all apis used:

If I start my application, and login with an executive account (this is a user that can also access the azure portal and grant admin consent btw), everything works as expected. However, If I access the application with the account of a user only in the employee group (this user does not have access to the azure portal for example), I get the following:

Basically, Admin consent is required. But I don't see where I can do that? Under API permissions, all APIs have already been granted Admin consent?

What am I missing? Thanks

question from:https://stackoverflow.com/questions/65887325/admin-constent-still-asked-although-already-configured

Answer 1

Based on the discussion in the comments, it seems the issue was that the app is requesting the User.Read scope from MS Graph, which is missing from the list in the screenshot.

When you send the user to authenticate to the v2 endpoint with scopes, if any of them have not been consented by an admin or the user, then consent is required for all of them.