For organizations that store the data of young adults and children, and in some legal regions, adults who cannot consent to their own legal affairs, you need to record the Age Group for the user, along with any Consent Provided in the case of Minors.
There are three categories of Age Group in Entra ID – Minor, NotAdult and Adult.
Microsoft’s definition of Minor is 12 and under, but again your legal region/country might have a different age range and you would need to store as Minor those of a different age range.
If a user is recorded as a Minor then there are circumstances where the user will not be able to login until consent is obtained, and that consent cannot be obtained by Entra ID directly (i.e at login) and must instead be entered by the administrator after having been obtained via other means.
If a user does not have consent to use Entra ID then you will get the following error message at login:
If you then check the Entra ID sign-in logs for the user it will show Sign-in error code : 54000 (shown as error AADSTS54000 in the above picture) and the name of the application as {appName} and {audience} as follows:
User is not allowed to access application {appName} due to Legal Age Group Requirement of application {audience}.
The above picture shows OfficeHome as the application in issue, and that is obtained just by browsing to https://portal.office.com or https://microsoft365.com. Different portals and applications will result in different appName/audience values but you still will not be able to login.
You can change the legal age/parental consent settings via the Entra ID admin portal, Users > click on user > Properties and then look in the Parental Consent section:
Or you can change the settings via Microsoft Graph. If you make the changes via the Graph PowerShell SDK you cannot set the values back to null (the default), but setting the value off ageGroup to “Adult” will have the same effect (in that you are allowed to sign in, no restrictions).
Here are the possible values you can use, and if they will block sign-in or not:
ageGroup | ConsentProvidedForMinor | LegalAgeGroupClassification | Sign-In |
Minor | None | MinorWithoutParentalConsent | Fail |
Minor | Denied | MinorWithoutParentalConsent | Fail |
Minor | Granted | MinorWithParentalConsent | Success |
Minor | Not Required | MinorNoParentalConsentRequired | Success |
Not Adult | None | NotAdult | Success |
Not Adult | Denied | NotAdult | Success |
Not Adult | Granted | NotAdult | Success |
Not Adult | Not Required | NotAdult | Success |
Adult | N/A | N/A | Success |
Here is some Microsoft Graph PowerShell to make the above changes. Note that if you use mis-matching values then either the change will not take effect (with no error) or the left most column above will take priority (that is, for ageGroup setting Adult will wipe consentProvidedForMinor and legalAgeGroupClassification and consentProvidedForMinor if set to allow or deny will overwrite any setting added for legalAgeGroupClassification
$user = Get-MgUser -Filter "Department eq 'Student'" -ConsistencyLevel eventual -Top 1
$UpdateUser = @{
AgeGroup = "Minor"
ConsentProvidedForMinor = "NotRequired"
LegalAgeGroupClassification = "MinorNoParentalConsentRequired"
}
Update-MgUser -UserId $user.id @UpdateUser
To reset a user to null (the default) will not work in PowerShell, so you can use the portal or the Invoke-MgGraphRequest as shown:
$uri = "https://graph.microsoft.com/v1.0/users/object-id-of-user"
$UpdateUserJson = @{
AgeGroup = $null
ConsentProvidedForMinor = $null
}
$json = ConvertTo-Json -InputObject $UpdateUserJson
Invoke-MgGraphRequest -Uri $uri -Method PATCH -Body $json -ContentType "application/json"
Photo by Ron Lach : https://www.pexels.com/photo/mother-covering-eyes-of-her-children-with-hands-against-internet-content-on-digital-pad-9786312/
Leave a Reply