Hello,
I have a question regarding the permissions for the SAML mechanism. The aim is to use the ADAL SDK within this authentication process. I followed this guide (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-customer-cloud-tutorial) to set
up Azure AD.
Below the simplified authentication process.
The SAML enabled application (Service Provider) directs to AzureAD ( the IdentityProvider) where no password is stored. The URL is https://login.microsoftonline.com/xxxxx, after providing the UPN I get forwarded to the internal ADFS where I enter the password and afterwards getting directed back to Azure AD where the permission error occurs.
After providing the right credentials for the user in the internal ADFS an error occurs in AzureAD regarding the permissions for AAD.
"AADSTS65005: Misconfigured application. This could be due to one of the following:
The client has not listed any permissions for 'AAD Graph' in the requested
permissions in the client's application registration. Or, the admin has not consented
in the tenant."
The Application doesn´t need any further permissions to access some APIs on AzureAD except the ones needed for the SAML process. In the scenario where the error occurs just reading permissions are set (application and delegation), I think there are also
writing permissions required due to the management of the several tokens, but which exactly? I don´t want to give the application more permissions than required.
What permissions are needed exactly in this scenario?
Thank you very much and kind regards,
Flo