Instruction
Configuratie - Systeem - Oauth providers

This page helps diagnose a failed sign-in through the Microsoft (Entra ID) OAuth provider. Typical message: «Admin consent required» (Microsoft error code AADSTS90094). For the setup itself, see How can I enable sign-in with Microsoft (Entra ID)?.

Why does this happen?

When signing in, i-Reserve requests the following permissions (scopes): openid User.Read Contacts.Read offline_access. These are all delegated (on behalf of the signed-in user). Microsoft may still require admin consent when:

  • the tenant is configured so that users cannot consent themselves to applications, or
  • no tenant-wide admin consent has been granted for the app yet.

The message appears on Microsoft’s own consent page — the browser then never returns to i-Reserve. That is why no sign-in attempt or error is visible on the i-Reserve side; the issue is in the Entra configuration.

Quick check in the Entra portal

  1. Open App registrations > [your app] > API permissions and check that the four permissions (openid, User.Read, offline_access, Contacts.Read) show «Granted for [organisation]».
  2. If not, click «Grant admin consent for [organisation]» (administrator rights required).
  3. As a cross-check, also open Enterprise applications > [your app] > Permissions: the same consent should be recorded there.
  4. After granting, it may take a few minutes before Microsoft has propagated the change everywhere. Then retry in a fresh browser session (incognito) to rule out a cached error page.

Diagnosis via PowerShell (read-only)

The script below lets you verify from the command line whether everything on the Entra side is correct. It is read-only (only *.Read.All scopes) and uses the modern Microsoft Graph PowerShell module. Fill in your tenant ID and client ID at the top (found under App registrations > Overview).

# --- In te vullen / Fill in / Ausfüllen ---
$tenantId = "<TENANT_ID>"   # Map-(tenant-)ID
$appId    = "<CLIENT_ID>"   # Toepassings-(client-)ID

Install-Module Microsoft.Graph -Scope CurrentUser    # alleen de eerste keer / first time only

Connect-MgGraph -TenantId $tenantId `
  -Scopes "Application.Read.All","DelegatedPermissionGrant.Read.All","Policy.Read.All","AuditLog.Read.All"

# 1. Bedrijfstoepassing ophalen + controleren of er maar EEN is
$sp = Get-MgServicePrincipal -Filter "appId eq '$appId'"
$sp | Format-List DisplayName, Id, AppId, AccountEnabled, ServicePrincipalType
"Aantal app-instanties: $($sp.Count)  (verwacht: 1)"

# 2. De daadwerkelijk verleende toestemming (de kern)
Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.Id |
  Select-Object ConsentType, PrincipalId, Scope | Format-List

# 3. Tenant-instelling voor gebruikers-toestemming (leeg = alleen beheerder mag toestemmen)
(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions.PermissionGrantPoliciesAssigned

# 4. Laatste inlogpogingen voor deze app (vereist Entra ID P1/P2)
Get-MgAuditLogSignIn -Filter "appId eq '$appId'" -Top 20 |
  Select-Object CreatedDateTime, UserPrincipalName,
    @{n='Error';e={$_.Status.ErrorCode}},
    @{n='Reason';e={$_.Status.FailureReason}} |
  Format-Table -AutoSize

On the first Connect-MgGraph, Microsoft asks for consent for «Microsoft Graph Command Line Tools», which an administrator can approve. Step 4 (sign-in logs) requires an Entra ID P1 or P2 licence.

What «good» looks like

CheckExpected outcome
Number of app instancesExactly 1. More means a duplicate app that should be cleaned up.
Granted consent (step 2)A row with ConsentType : AllPrincipals and in Scope at least openid User.Read Contacts.Read offline_access. Principal = per-user only; empty = not granted.
User consent (step 3)Empty means only an administrator may consent — this explains the message, and is not a problem once step 2 is correct.
Sign-in logs (step 4)No new 90094 errors after the moment consent was granted.

The key checks are step 2 (is consent tenant-wide?) and step 3 (is self-consent disabled?).