none
AADSTS90094: The grant requires admin permission (IOS cant access application) RRS feed

  • Question

  • Hello,

    I'm currently getting this error when users try to login to Office365 using IPAD. 

    You cant access this application

    IOS accounts needs permission to access resources in your organization that only an admin can grant

    AADSTS90094: The grant requires admin permission


    If i configure it manually by typing the password on the app and not at the ADFS screen, it works but IPad gets that error after authenticating with ADFS.

    Anyone understand what the problem could be? Its affecting every IOS we have at the moment

    Thursday, October 26, 2017 1:38 PM

Answers

  • Hi,

    We had the same issue with one user in our company today.
    I'm not sure which of my steps did it, but now it is working.

    The first thing I changed was in Azure AD and discribed at this Microsoft site:

    https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/cannot-sign-in-to-office-365-exchange-with-azure/5a804d1f-c0e6-4f61-89b1-682077f2ed38?auth=1

    Second thing I did, was to click on manual configuration at the users device and put "outlook.office365.com" in the server field.

    After that the sync startet.

    br, Michael

    • Marked as answer by vintagevintage Thursday, November 16, 2017 11:31 PM
    Thursday, November 2, 2017 1:51 PM

All replies

  • This is not an ADFS issue, as the error message suggest, it blocks at the Azure AD level (AADSTS90094).

    It could be that the application you are using on your system is not capable of displaying the consent page or that the admin did not allow the user to access the workload you are trying to access to. You can have a look here to see how admin can give consent: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, October 26, 2017 2:11 PM
    Owner
  • Did you manage to fix this?

    /Frederik Leed

    Tuesday, October 31, 2017 2:03 PM
  • Not Yet. I am planning to enabled modern auth of Office365. We turned this off a long time ago and from my research it appears the browser on IOS 11 is using OAuth. Will get back to you as soon as i get the approval to enabled it.
    Tuesday, October 31, 2017 2:07 PM
  • I'll have to follow this thread. I too have 1 user out of 200+ reporting this error when setting up his iPhone.

    Wednesday, November 1, 2017 5:06 PM
  • I'll have to follow this thread. I too have 1 user out of 200+ reporting this error when setting up his iPhone.

    I too. Out of 10000+ clients. Only 1 that has this problem. and they're an exec assistant to top it off.
    Wednesday, November 1, 2017 9:01 PM
  • Following this post. 

    I just had a user who reported the same issue after changing their password - this appears to be the only post on the internet related to it.  I've raised a Microsoft support ticket so will feedback anything i get of use.

    Andrew


    Andrew

    Thursday, November 2, 2017 6:01 AM
  • Hi,

    We had the same issue with one user in our company today.
    I'm not sure which of my steps did it, but now it is working.

    The first thing I changed was in Azure AD and discribed at this Microsoft site:

    https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/cannot-sign-in-to-office-365-exchange-with-azure/5a804d1f-c0e6-4f61-89b1-682077f2ed38?auth=1

    Second thing I did, was to click on manual configuration at the users device and put "outlook.office365.com" in the server field.

    After that the sync startet.

    br, Michael

    • Marked as answer by vintagevintage Thursday, November 16, 2017 11:31 PM
    Thursday, November 2, 2017 1:51 PM
  • I was given this by a Microsoft Technician, it describes my issue where our email address and upn are on different addresses.  Item is resolved by Microsoft and i can confirm the issue is resolved for me.

    Issue begun October 19th



    Andrew

    • Proposed as answer by AJRussell Friday, November 3, 2017 4:37 AM
    Friday, November 3, 2017 4:37 AM
  • See here for an explanation of what iOS is doing:

    EDIT: to approve this app, you can login as a global admin and paste in this constructed url:

    https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&prompt=admin_consent

    The "iOS Accounts" Application ID is f8d98a96-0999-43f5-8af3-69971c7bb423. 

    ref: 

    e.g. 

    This will allow a global admin to approve the "ios accounts" app. After clicking accept, you'll be asked how you want to open the oauth application, but you can ignore that. apple doesn't offer a valid redirect url off the iphone but you can confirm your success by visiting this site and looking for "ios accounts":

    • https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps


    https://login.microsoftonline.com/baselinetechnologies.onmicrosoft.com/oauth2/authorize?client_id=f8d98a96-0999-43f5-8af3-69971c7bb423&response_type=code&redirect_uri=com.apple.Preferences://oauth-redirect/&prompt=admin_consent


    BTW, I learned the redirect uri by doing this after approving the app in another tenant, but be aware, this isn't a valid url off an iPhone, hence my comment about an invalid url


    Mike Crowley | MVP
    My Blog -- Baseline Technologies




    • Proposed as answer by Mike Crowley Thursday, May 31, 2018 9:24 PM
    • Edited by Mike Crowley Wednesday, August 22, 2018 12:02 AM
    Wednesday, November 29, 2017 8:03 PM
  • We had this issue. And it can be as simple as making sure the client is properly configured with "outlook.office365.com" as server.
    Friday, January 12, 2018 12:00 PM
  • Yep.  thia worked for me too.  https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/cannot-sign-in-to-office-365-exchange-with-azure/5a804d1f-c0e6-4f61-89b1-682077f2ed38?auth=1
    Friday, January 26, 2018 10:41 AM
  • Above article should not followed, it will be open risk if we open it for all apps instead allow it only for iOS built app, follow below article :

    http://www.admin-enclave.com/en/articles-by-year/46-data-articles/website_articles/articles/office-365/410-resolved-ios-accounts-needs-permission-to-access-resources-in-your-organization-that-only-an-admin-can-grant.html
    Friday, February 9, 2018 9:34 PM