Hi ,
We are currently using the Microsoft login connector for user authentication in our application. We have a new requirement wherein, if a user is accessing the application via the Edge browser and is already logged into their Office 365 account at the browser level, the application should automatically log them in without requiring any user interaction.
Specifically, when the user navigates directly to the application dashboard URL, the system should detect the active Office 365 session and authenticate the user based on their Office 365 email address.
We have been working on implementing authentication using the MSAL library to support seamless login functionality. However, we are currently facing a few challenges.
While attempting to retrieve and handle authentication status through the library, we noticed that the relevant functions are not returning the expected authentication state. Additionally, we attempted to enable silent login by identifying the session, but encountered an error indicating that admin approval is required from our organization.
Specifically, when trying to access the application without prior consent granted, we are receiving the following error: AADSTS90014.
We would appreciate any guidance or recommendations you can provide to help us resolve these issues and proceed with the implementation.
For admin consent you can try below steps,
Admin Consent for Scopes
If you're seeing errors about admin approval required, it means your app is requesting permissions that require tenant-wide approval.
To resolve:Go to Azure Portal > Enterprise Applications > Your App > Permissions.
Click "Grant admin consent for [Your Organization]".
Alternatively, use this URL to request admin consent:
https://login.microsoftonline.com/common/adminconsent?client_id=YOUR_CLIENT_IDThanks.
Fix AADSTS90014:
Usually caused by missing request fields due to malformed auth request or incorrect MSAL usage.Ensure correct MSAL version, complete config, and proper scopes
Microsoft 365 (M365) services—such as Outlook, SharePoint, Teams, and OneDrive—are treated as individual OAuth 2.0 applications within Microsoft Entra ID (formerly Azure AD). This means:
Each service has its own unique client ID.
These apps are pre-registered by Microsoft as multi-tenant applications, meaning they can be accessed by users and organizations across any Microsoft Entra tenant.
Because Microsoft owns and manages these registrations, you do not have access to their internal configuration, including redirect URIs, client secrets, or exposed scopes.
What you are trying to do is - sorry to say - against all security principles of the OpenID connect/OAuth protocol.
The proper way is to
The prompt=none tries a silent login, so without the login dialog of Entra, but it will raise an error that you must handle (and then perform a regular authorization code flow) if the silent login fails. This can be the case if consent is required from the user and the user has not yet given consent.
See the official Entra documentation for the prompt parameter here https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-authorization-code
If you want to learn how to learn more about Entra client credential and authorization code flow and how to build it from scratch I recommend my webinar series here https://www.youtube.com/@stefanweber1170
Best
Stefan