Introduction

This post is to help provide guidance when receiving the error : AADSTS90094: The grant requires admin permission.

Typically this error is received when trying to get access to an AAD Application registration. Please note that there are two different Microsoft application portals:

https://portal.azure.com  (v1 application portal) and the https://myapps.microsoft.com (v2 application portal).

For details on the different application models, please visit the following link:
What's different about the v2.0 endpoint?

These different application models require different processes in order to resolve the AADSTS90094 error.

V1 Application Resolution

If you are using an AAD Application Registration under the URL portal.azure.com,  then all that needs to be done is to click the "Grant Permissions" button.

NOTE: All application permissions require a tenant administrator to complete the consent process by clicking the "Grant Permissions" button.

To apply the permission scopes to the application, use the "Grant Permissions" button.  If any of the permission scopes check in the Enable Access blade have Yes in the "REQUIRES ADMIN" column then a user with administrative permissions on the tenant will need to complete the consent process by clicking the "Grant Permissions" button.

This is also described in the article : https://docs.microsoft.com/en-us/azure/active-directory/application-dev-registration-config-grant-permissions-how-to

The link describes a second way to grant permissions.

V1 Application User Consent Disabled

Sometimes the tenant doesn’t allow users to consent for an application to access data on their behalf. This switch is shown in the picture below:

If the admin disable users consent to allow third-party multi-tenant applications access their user profile data in the directory, the admins must consent to these applications before users may use them.

In this scenario, your app can require the users provide the email of the admin of their tenant and send the admin-consent link to the admin.

In order to resolve the issue, you will have to get a global admin to generate the URL as described in the link to admin consent above:

You can construct a request to login.microsoftonline.com with your app configs and append on &prompt=admin_consent. After signing in with admin credentials, the app has been granted consent for all users.

So it would look like the below URL (replace with your app configs):

https://login.microsoftonline.com//oauth2/authorize?client_id=&response_type=code&redirect_uri=&nonce=1234&resource=&prompt=admin_consent

V2 Application Resolution

If you are using the https://myapps.microsoft.com portal, then you will need to utilize the adminconsent endpoint in order to properly grant admin consent for the v2 application model. This is  described in the Microsoft Documentation at the following link:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#using-the-admin-consent-endpoint

Conclusion

We have now described some scenarios where AADSTS90094 error could occur. If one of these solutions does not resolve your issue please file a support ticket and one of our support engineers will reach out to you to help resolve your issue.  Please have the following information in your support request:

1. Fiddler trace if you can obtain one.
2. Correlation ID or Request ID  along with its associated timestamp.  With most AADSTS* type errors, the correlation ID and timestamp is provided in the error body text.