Workspace Admin Consent / Access Denied #4395
Comments
|
Hi @eyalanmegaw admin consent will need granting by someone with the right permissions in AD. See https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal It is called out here. https://microsoft.github.io/AzureTRE/tre-admins/auth/#app-registrations Albeit trying to recall why the workspace application needs it. Will have a think. |
|
@eyalanmegaw I expect the settings here: https://portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings as described here: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal#configure-user-consent-settings Do not allow users to consent themselves? |
|
Hi Marcus, Thanks for reverting. Which (TRE) enterprise application do we need to grant org access to as per the grab below. Is it the workspace enterprise app or one of the 4 tre enterprise apps created during the make auth?
FYI this link doesn't appear to be valid - https://microsoft.github.io/AzureTRE/tre-admins/auth/#app-registrations As regards 'user consent' this is currently set as per below:
thanks again, |
|
Ok, the setting in the bottom screenshot is what is different. The bottom one is what I we typically see, Do you know if that's something that has been specifically configured in your directory or a new default? It's each workspace application registration needs consent, so having to do each one manually isn't great. I am actually wondering if the workspace application registration needs these permission and might test it. |
|
So looks like there a re a load more options now available in Entra around controlling users ability to provide consent for an application. The user experience would likely be better if we can automatically grant tenant wide consent when creating the application. Similar to: https://devcoops.com/terraform-grant-azure-ad-admin-consent/ |
Hi Marcus, Ref user consent settings: I think the issue is possibly with the permissions in the 'UX' enterprise app admin / user consent settings which appear to be different in our client (problem) and poc (no problem) environments: UX Enterprise App, POC (working) env: UX Enterprise App, Client (problem) env: Thus I think we need to grant admin consent for the org to the UX? Thanks, |
|
Admin consent will remove the pop ups. However if each workspace app needs admin consent manually granting, this will add friction to the user experience. |
|
Hi Marcus, In the client env we ran make auth without issue. Any idea why we don't see this issue in our POC which has the following config:
thanks, |
|
Was your account a directory administrator or similar so you were able to grant consent? |
|
hi Marcus, so upon creation of the workspace if we check the box as per below other users do not get the admin consent pop-up. This is satisfactory for us.
thanks for your help, |
|
Correct, for that specific workspace. |
Hi,
We have setup a base workspace and during authentication the user is being asked to provide admin consent. Upon choosing the bottom option - return to the application without granting admin consent (the user does not have any elevated roles in Entra) they subsequently get access denied on the base workspace:
The user has been granted the following:
TRE API Enterprise Application - TRE Administrator & TRE User
Workspace Enterprise Application - Workspace Owner / Researcher / Airlock Manager
Many thanks.
The text was updated successfully, but these errors were encountered: