Azure Active Directory (Azure AD)

Solving “AADSTS90097: An error has occurred during admin consent processing.” issues in your app

This post was most recently updated on March 25th, 2023.

4 min read.

This article explains how to fix “AADSTS90097: An error has occurred during admin consent processing.” (or like the error message is actually worded – “occurred”, which to me looks like a typo, but at least makes this easier to google. I mean – bing. Those are both verbs now until we all just start asking Tay our techy questions and get back definitely-not-hallucinated answers.

Ah. Anyway. We should also be able to fix “AADSTS900971 – No reply address provided.” in the process.

With some luck – it should be an easy fix! And with that, let’s get to it, then.

Problem

When you’re developing your app, and want to integrate with Azure Active Directory to provide you with the user identity, one of the steps you need to do is for the users to grant your app certain permissions in their directory. This is requested by crafting a particular URL that the user can then visit, and (depending on the permission, scopes your app requests and if the user has high enough permissions to grant them to you), can then consent to.

But when you present them with this URL, and they click it (or you open it in a new browser tab), you just get back an ugly error page, with the code AADSTS90097, and some nonsense about an error during admin consent processing.

What gives?

Reason

I suspect you can only get this error for a Multi-tenant Enterprise Application – but hell if I know, that’s just when I’ve run into this.

I’ve also seen a “sub-code” of AADSTS90097, namely “AADSTS900971 – No reply address provided.” The guide below should fix that, too – but in any case, that one is about redirectUri missing from your grant admin consent URL.

In any case, the issue is you haven’t given Microsoft (AAD) enough information to process an admin consent grant. We already know your scopes should be good (to my understanding, they’re processed before this error can be thrown), response_type and response_mode will not throw this error, the state is not actually even required and prompt=consent will throw another error if it’s required and missing.

So – let’s go through the steps to verify our admin consent-granting URL.

Time needed: 30 minutes

How to resolve “AADSTS90097: An error has occurred during admin consent processing.”?

  1. Verify your admin consent URL

    Your URL will need the tenant id you’re authenticating against,

    string tenantId = "tenant-id-as-a-guid";
    string clientId = "client-id-from-app-registration-aad";
    string redirectUri = $"{BaseUri}/callback/";
    var adminConsentUrl = $"https://login.microsoftonline.com/{tenantId}/oauth2/authorize?client_id={clientId}&response_type=code&redirect_uri={redirectUri}&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&state=12345&prompt=consent";


    This sample requests an authorization code (hence response_type=code), but you could also request the token directly (with response_type=token). Either should work for granting the consent (as far as the user granting has sufficient permissions), but they affect your next steps – do you need an access token (for authenticating and authorizing the user) or a code for further auth steps (like device code flow in Azure AD).

  2. Verify your reply-URLs are properly configured

    Make sure whatever redirect URI you need to use (this is dependent on your implementation), it is listed in the redirect URIs of your app registration in Azure AD. If you don’t actually control the whole flow, add at least the base URL (root) of your app, and use it as a redirectUri in the last step.

  3. Redirect the user to the admin consent URL

    This needs to happen in a new tab or something. AAD doesn’t support showing in an iframe (to show it in dialogue, for example), so we’d better figure out some other way :)

    In Blazor WebAssembly, you could do something like this:

    @inject IJSRuntime jsRuntime

    ...

    await jsRuntime.InvokeAsync<object>("open", adminConsentUrl, "blank");


    This uses the adminConsentUrl formed in step 1 to open a new tab in your browser, where the user can authenticate & grant consent.

  4. Handle redirect

    After successfully granting consent, the user will be redirected to the RedirectUri with a GET parameter “code”, and an Authorization code for your app (if the response type was “code”), or a GET parameter “token” and an Access Token for your user (if the response type was “token” and you want to authenticate the user).

    This is not actually required to get the consent granting to work – this step is essentially for your convenience.

… and that should be it. Now you should know how to get rid of AADSTS90097. Let me know how it goes!

References and appendices

An alternative way to create the URL

Here’s a PowerShell script to form the same admin consent -granting URL. Got it from Ingo Gegenwarth (at least I presume that’s his name).

# authority
https://login.microsoftonline.com/
# tenantid (could be also domain, typically contoso.onmicrosoft.com)
2e9dea3a-cce5-42cc-b083-0b70458298b8
# endpoint for authorization
/oauth2/v2.0/authorize?
# clientID
client_id=c07b78d3-2eb0-48c0-814f-bac5a8031f1
# response type (in this case code)
&response_type=code
# response mode (in this case query)
&response_mode=query
# scope URL encoded
&scope=https%3a%2f%2fgraph.microsoft.com%2femail+https%3a%2f%2fgraph.microsoft.com%2foffline_access+https%3a%2f%2fgraph.microsoft.com%2fopenid
# random state
&state=12345
# the important prompt: consent
&prompt=consent

Hope some of this is helpful to someone else, too – always fun to figure these errors out…

References

mm
0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
most voted
newest oldest
Inline Feedbacks
View all comments