Sign-in with Microsoft (Entra ID) fails: diagnosis and scope troubleshooting
This page helps diagnose a failed sign-in through the Microsoft (Entra ID) OAuth provider. Typical message: «Admin consent required» (Microsoft error code AADSTS90094). For the setup itself, see How can I enable sign-in with Microsoft (Entra ID)?.
Why does this happen?
When signing in, i-Reserve requests the following permissions (scopes): openid User.Read Contacts.Read offline_access. These are all delegated (on behalf of the signed-in user). Microsoft may still require admin consent when:
- the tenant is configured so that users cannot consent themselves to applications, or
- no tenant-wide admin consent has been granted for the app yet.
The message appears on Microsoft’s own consent page — the browser then never returns to i-Reserve. That is why no sign-in attempt or error is visible on the i-Reserve side; the issue is in the Entra configuration.
Quick check in the Entra portal
- Open App registrations > [your app] > API permissions and check that the four permissions (openid, User.Read, offline_access, Contacts.Read) show «Granted for [organisation]».
- If not, click «Grant admin consent for [organisation]» (administrator rights required).
- As a cross-check, also open Enterprise applications > [your app] > Permissions: the same consent should be recorded there.
- After granting, it may take a few minutes before Microsoft has propagated the change everywhere. Then retry in a fresh browser session (incognito) to rule out a cached error page.
Diagnosis via PowerShell (read-only)
The script below lets you verify from the command line whether everything on the Entra side is correct. It is read-only (only *.Read.All scopes) and uses the modern Microsoft Graph PowerShell module. Fill in your tenant ID and client ID at the top (found under App registrations > Overview).
# --- In te vullen / Fill in / Ausfüllen ---
$tenantId = "<TENANT_ID>" # Map-(tenant-)ID
$appId = "<CLIENT_ID>" # Toepassings-(client-)ID
Install-Module Microsoft.Graph -Scope CurrentUser # alleen de eerste keer / first time only
Connect-MgGraph -TenantId $tenantId `
-Scopes "Application.Read.All","DelegatedPermissionGrant.Read.All","Policy.Read.All","AuditLog.Read.All"
# 1. Bedrijfstoepassing ophalen + controleren of er maar EEN is
$sp = Get-MgServicePrincipal -Filter "appId eq '$appId'"
$sp | Format-List DisplayName, Id, AppId, AccountEnabled, ServicePrincipalType
"Aantal app-instanties: $($sp.Count) (verwacht: 1)"
# 2. De daadwerkelijk verleende toestemming (de kern)
Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.Id |
Select-Object ConsentType, PrincipalId, Scope | Format-List
# 3. Tenant-instelling voor gebruikers-toestemming (leeg = alleen beheerder mag toestemmen)
(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions.PermissionGrantPoliciesAssigned
# 4. Laatste inlogpogingen voor deze app (vereist Entra ID P1/P2)
Get-MgAuditLogSignIn -Filter "appId eq '$appId'" -Top 20 |
Select-Object CreatedDateTime, UserPrincipalName,
@{n='Error';e={$_.Status.ErrorCode}},
@{n='Reason';e={$_.Status.FailureReason}} |
Format-Table -AutoSizeOn the first Connect-MgGraph, Microsoft asks for consent for «Microsoft Graph Command Line Tools», which an administrator can approve. Step 4 (sign-in logs) requires an Entra ID P1 or P2 licence.
What «good» looks like
| Check | Expected outcome |
|---|---|
| Number of app instances | Exactly 1. More means a duplicate app that should be cleaned up. |
| Granted consent (step 2) | A row with ConsentType : AllPrincipals and in Scope at least openid User.Read Contacts.Read offline_access. Principal = per-user only; empty = not granted. |
| User consent (step 3) | Empty means only an administrator may consent — this explains the message, and is not a problem once step 2 is correct. |
| Sign-in logs (step 4) | No new 90094 errors after the moment consent was granted. |
The key checks are step 2 (is consent tenant-wide?) and step 3 (is self-consent disabled?).





