Hello, I've faced ODB (OneDrive for Business) authorization issues with my .net application which is using OD (OneDrive) REST API.
I am using OAuth authorization workflow and made app to authorize accordingly to
this OD developers portal documentation page. The only difference is that I provide no client secret as native client AAD (Azure AD) apps doesn't support secrets and BTW I think it's not described anywhere on that dev portal - I found this method by myself).
Before I found it I was using AAD web application but currently it's about native client application.
The problem is that I cannot authorize my app for external tenant directory while for my directory (where the app has been added) I can authorize it for any user. When I try to authorize non global admin users I always get wrong request error with following
description:
AADSTS90093: Calling principal cannot consent due to lack of permissions.
I played with various roles for simple users and it even feels that a user initially created with non global admin role won't be authenticated even with global admin role set (I checked it both on azure directory users management page and on Office 365 admin
app active users page.
So the first question is - what should I do as a Office 365 or AAD admin to let my users to authorize some external app. Or maybe it is about my app delegated permissions?
Here are my current permissions delegated for 2 applications:
"Office 365 SharePoint Online" application:
- Read and write user files
"Windows Azure Active Directory" application:
- Read directory data
- Access your organization's directory
Currently it just makes usage of our ODB app impossible for external users which are not on my original tenant (for testing purposes I used trial Azure and Office 365 Mid Business accounts).
Regards, Vadim.
P.S.
I was previously asking this question and was redirected here from two following MS support forums:
https://social.msdn.microsoft.com/Forums/azure/en-US/13dfe236-b2e8-4661-9b2f-cad92c7f4e51/onedrive-for-business-and-azure-ad-mulittenant-application-authorization?forum=WindowsAzureAD#15555415-daee-4ad7-9f2e-a6461634ae0c
https://community.office365.com/en-us/f/172/t/404286