Azure AD‘Grant permission’按钮失效问题技术求助
Hey Michael, sorry to hear you're stuck with this frustrating issue—let's break down what's going on and walk through actionable fixes to get your permission grants working again.
Your Problem Recap
Just to align on the details you shared:
- You hold the Global Admin role for your Azure AD tenant
- The "Grant permission" button worked perfectly before May 18, 2018, but stopped functioning entirely after that date
- When attempting to grant the custom application role you added, you get the error:
Failed to grant permissions for application [application name] - Full error details:
{"errorCode":"Request_BadRequest","localizedErrorDetails":{"errorDetail":"Consent validation failed: "},"operationResults":null,"timeStampUtc":"2018-05-28T17:56:43.765787Z","clientRequestId":"1c1cad98-7731-45bf-8d78-8465ffdf902f","internalTransactionId":"42926dde-51de-451c-aae8-a186167197e8","upn":"f.dd@dd.be","tenantId":"f0000d-9eb0-473e-9646-ceggf5d47c69d","userObjectId":null}
- Reproduction steps:
- Navigate to App registrations in Azure Active Directory
- Modify the API app's manifest to add a new application role
- Select the client app and attempt to grant it this new application role
- Click the "Grant permission" button, which triggers the validation error
Likely Causes & Fixes
1. Invalid Application Role Format in Manifest
Azure AD tightened up validation rules for application roles around May 2018, so your new role might be missing required fields or using invalid values. Double-check your manifest's appRoles array to ensure the role meets all these requirements:
- A unique GUID for the
idfield (no duplicates, and it can't clash with other role/permission IDs in your tenant) allowedMemberTypesincludes"Application"(critical since you're granting this to a client app as an application-level permission)- Non-empty
displayName(max 120 characters) anddescription(max 256 characters) - A
valuefield with no spaces or special characters, unique across your app's roles isEnabledset totrue
Example of a properly formatted application role:
{ "allowedMemberTypes": ["Application"], "description": "Grants service-level access to the core API endpoints", "displayName": "API Service Access", "id": "a1b2c3d4-5678-90ef-ghij-klmnopqrstuv", "isEnabled": true, "value": "ApiServiceAccess" }
2. Bypass the UI with PowerShell
If the "Grant permission" button is still misbehaving, you can manually assign the role using Azure AD PowerShell. Here's the step-by-step:
- Install the Azure AD module (if you haven't already):
Install-Module -Name AzureAD -Force - Connect to your Azure AD tenant:
Connect-AzureAD -TenantId "f0000d-9eb0-473e-9646-ceggf5d47c69d" - Retrieve your API app and client app objects:
$apiApp = Get-AzureADApplication -Filter "DisplayName eq 'Your API App Name'" $clientApp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Your Client App Name'" - Grab the ID of your custom application role:
$targetRole = $apiApp.AppRoles | Where-Object { $_.Value -eq "YourRoleValue" } - Assign the role to the client app:
New-AzureADServiceAppRoleAssignment -ObjectId $clientApp.ObjectId -PrincipalId $clientApp.ObjectId -ResourceId $apiApp.ObjectId -Id $targetRole.Id
3. Validate Client App's Permission List
Sometimes consent fails if the client app has other invalid or incomplete permissions configured. Double-check the client app's API permissions tab to ensure all entries are valid, have the correct type (application vs delegated), and no entries are in a broken state.
4. Check Azure AD Service Updates
Around May 2018, Azure AD rolled out updates to application consent workflows. It's worth checking your tenant's Service Health dashboard in the Azure portal to see if there were any known issues or breaking changes that might affect permission granting.
Let me know if any of these steps resolve your issue, or if you need help troubleshooting further!
内容的提问来源于stack exchange,提问作者MichaelK
