Hello @Daniel Van Tassell,
Thank you for posting your query on Microsoft Q&A.
I understand that users are encountering a "Need Admin Approval" message when trying to access the application. Despite signing in with a Global Administrator account and granting consent for the required scopes, users continue to see the same screen.
There are 2 most common causes.
You will need to get a URL of a sign-in page to determine the cause. Either users are redirected as a whole page or with a popup, users can see a URL starting with https://login.microsoftonline.com”. If the app skips the page automatically, collecting log with F12(.har) or fiddler will be helpful. We will check 2 parameters — ‘prompt’ and ‘scope’.
EXAMPLE: “https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={AppID}&response_type=code&redirect_uri={RedirectURI}&response_mode=fragment&scope=openid profile email user.read mail.read&state=12345&nonce=12345&prompt=consent” NOTE: You can replace {AppID} with the appID(clientID) of the app shown on Entra ID-App registration-Overview. You can replace {RedirectURI} with any redirectURI of the app shown on Entra ID-App registration-Authentication.
Cause 1: The prompt=consent
Parameter
If the app request to Entra ID includes prompt=consent
, Entra ID will prompt for consent even if admin consent has already been granted.
Solution for Cause 1: The app vendor or owner should remove the prompt=consent
parameter from the request to Entra ID. For more information, refer to the https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-implicit-grant-flow
Cause 2:
In the ‘scope’ parameter, there is one or more permissions that are NOT admin consented. In this case, users will see the error when they cannot grant consent by themselves.
Solution for Cause 2:
You will need to grant admin consent to permissions requested but not admin consented.
Let’s find out how to do that. You can compare permissions requested in the URL and the permissions admin consented to the app.
When you see the URL above, ‘scope’ parameter includes 5 permissions as below. ‘openid profile email user.read mail.read’.
When you go to Azure Portal — Entra ID- Enterprise app — Search the app having issue — Permissions.
In my case, there are 4 permissions as below are admin consented. ‘openid profile email user.read’
Yes, mail.read is NOT admin consented. As the user cannot grant consent to the permission, the user got the error.
Now, let’s grant admin consent to the app. Mostly, clicking “Grant admin consent <ORG name>” doesn’t resolve the issue. When admin clicks the button, the request goes to /adminconsent endpoint as below.
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
This endpoint pulls permissions that registered in the App Registration of the app. If there is no permission or only a part of permission are registered there, clicking “Grant admin consent <ORG name>” won’t grant admin consent to mail.read and the issue will persist.
We need to use /authorize endpoint to grant permission dynamically. Reference: https://learn.microsoft.com/en-us/previous-versions/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison#incremental-and-dynamic-consent
Global admin can go to the URL that the user had issue and grant admin consent. NOTE: The global admin MUST check “Consent on behalf of your organization”, and click Accept. If it is not checked, consent will be granted only for the global admin account, the issue will persist for other users.
“https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={AppID}&response_type=code&redirect_uri={RedirectURI}&response_mode=fragment&scope=openid profile email user.read mail.read&state=12345&nonce=12345&prompt=consent”
Then you can go back to Azure Portal — Entra ID- Enterprise app — Search the app having issue — Permissions and confirm if all permissions were successfully admin consented.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.