[docs] How to handle consent and challenge for internal-only applications? about active-directory-aspnetcore-webapp-openidconnect-v2 HOT 4 CLOSED

We reverted the change to a OpenID middleware and now using Jwt against /<tenant>/v2.0, which works so far.
Finally, I am able to call my API with MSAL 2.0 as Admin and I can request GraphSdk.Me.Request().GetAsync()

As user I get:

AADSTS65001: The user or administrator has not consented to use the application with ID '123' named 'MyApp'. Send an interactive authorization request for this user and resource.

To be honest I have right now no idea how to do that ( and no idea how to call user schema extensions ).
I got the consent question on the first admin login and on the first user login. For both I have accepted the dialog.

Our target is to have absolutely no consent questions for any user.

I know I have to configure something on the MSAL portal in the pre-auth'ed applications section.
But the documentation here is not clear, too.

from active-directory-aspnetcore-webapp-openidconnect-v2.

Okay, another step further.

You cannot set contents to a WebAPI platform only.
An admin consent can only bet set if a reply url exists, because a reply url is required - and this is only the case for a WebApp.

So even you have a Web API you have to add a Web App box to your Azure AD 2.0 App configuration.
This absolutely misses in every documentation and also makes no sense for me.

from active-directory-aspnetcore-webapp-openidconnect-v2.

Thanks for your feedback @BenjaminAbt
We are currently working on this documentation and associated samples

The case of the Web API is handled in another sample: https://github.com/azure-samples/active-directory-dotnet-native-aspnetcore-v2

from active-directory-aspnetcore-webapp-openidconnect-v2.

See also #24 which I just medged.

from active-directory-aspnetcore-webapp-openidconnect-v2.