Due to an unexpected change in Microsoft Azure AD's Security Model, the Azure AD Authentication Provider Preview introduced in FotoWeb FR9 no longer works correctly for non-admin users.
This affects all Customers that is trying to enable the Azure AD integration in FotoWeb.
After enabling Azure AD Preview in FotoWeb, Azure AD users without Administrative permissions will get the following error message when attempting to sign in:
AADSTS90093 – Calling principal cannot consent due to lack of permissions.
The current workaround for this issue is to trigger the "Sign up my Company" experience. This gives FotoWeb directory wide consent to access the Directory as the signed in users.
- Enable the Azure AD authentication provider.
- Go to FotoWeb, log in, and click the "Login in with SSO" button. This will take you to the Azure AD sign in page
- Add the following text to the url: &prompt=admin_consent
- Hit enter to reload the page using the new parameter
- Sign in with a user that has administrative access to the directory.
- You will be presented with a Azure AD Consent page, which asks you to give the application consent for the entire Directory.
- Approve the consent, and proceed to FotoWeb.
- Non-administrative users are now able to log in to FotoWeb.
We are investigating a permanent solution to this issue.