Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
365 tenant but no 365 admin access and cannot perform entra ID or admin consent actions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 89%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGT%3C/text%3E%3C/svg%3E)
Galley Table
0
Reputation points
I have a Microsoft 365 tenant (<PII REMOVED>). My account <PII REMOVED> appears as an admin in Azure, but I do not have Microsoft 365 admin center access and cannot perform any Entra ID or admin consent actions.
I cannot grant admin consent for enterprise applications (e.g., Calendly), and I receive “Need admin approval” errors.
Additionally, I cannot access Entra consent settings or submit support requests from the tenant.
I need Microsoft Data Protection / tenant admin recovery assistance to restore Global Administrator functionality and enable admin consent for the tenant.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shubham Sharma 15,685 Reputation points Microsoft External Staff Moderator2026-04-24T15:39:06.8466667+00:00 Thank you for reaching out to Microsoft Q&A.
Based on the details you’ve shared, this appears to be a tenant lockout scenario.
To resolve this, the recommended approach is to contact the Microsoft Data Protection team. You can reach them by calling Microsoft Customer Service using the phone numbers listed here: https://support.microsoft.com/en-us/topic/customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2
If you have access to another tenant or subscription where you still have Global Administrator privileges, you may also raise a support request from there to get assistance in restoring access to the affected tenant.
For future reference and to help prevent tenant lockouts, please check: https://learn.microsoft.com/en-us/partner-center/customers/gdap-preventing-tenant-lockouts
If neither option is possible, please don’t worry—let us know, we are happy to assist you further!
-
Shubham Sharma 15,685 Reputation points Microsoft External Staff Moderator
2026-04-27T11:57:39.1333333+00:00 Following up to check if the resolution provided was helpful. Please let us know if you need any further assistance.
Sign in to comment
1 answer
Sort by: Most helpful
-
AI answer
2026-04-24T14:35:03.5733333+00:00 The described behavior matches a scenario where admin consent is required but the current account either lacks effective Global Administrator privileges in Microsoft Entra ID / Microsoft 365, or there is a tenant-level restriction on user consent and risky apps.
From the tenant side, the only supported way to resolve “Need admin approval” / AADSTS90094 and restore admin consent capability is for a valid privileged administrator or Microsoft support (Data Protection team) to intervene. Forum moderators and tools outside Microsoft support cannot change tenant roles or restore Global Administrator access.
Actions that must be taken by someone with working admin access or by Microsoft support:
- Verify effective admin role and tenant
- Sign in to the Azure portal / Microsoft Entra admin center using the suspected admin account.
- Confirm the correct tenant (galleytablecom.onmicrosoft.com) is selected.
- In Microsoft Entra ID, check Roles and administrators to ensure the account is actually assigned a role such as Global Administrator, Privileged Role Administrator, or Application Administrator.
- If the account is not in one of these roles, another Global Administrator must assign the role.
- Check consent configuration and risky app blocking
Once a working Global Administrator session is available:
- Go to Microsoft Entra ID → Enterprise applications → Consent and permissions.
- Review User consent for applications:
- If Do not allow user consent is set, non-admin users will always see “Need admin approval”. Admin consent must be used instead.
- If user consent is blocked for risky applications, admin consent is still required even for permissions that normally do not need admin approval. In this case, an audit event with activity Consent to application and status reason like Risky application detected or Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException will appear. Admin consent is required to proceed.
- Perform admin consent for affected apps (e.g., Calendly)
After Global Administrator access is restored:
- Have a Global/Company/Application Administrator access the application.
- When the consent screen appears, review the requested permissions and select Consent on behalf of your organization.
- If the consent screen does not appear, construct a consent URL with
&prompt=consentor use the admin consent URL form:-
https://login.microsoftonline.com/<Tenant-ID>/adminconsent?client_id=<App-ID>
-
- Ensure all required scopes are configured in the app registration and then grant admin consent.
- When tenant-level user consent is disabled
If User consent for applications is set to Do not allow user consent, non-admin users will always receive “Need admin approval”. In this case:
- A Global/Company/Application Administrator must perform tenant-wide admin consent for each required application.
- If user assignment is required for the enterprise application, users must also be explicitly assigned to the app.
- If no working Global Administrator access exists
If the only Global Administrator account (or all admin accounts) cannot access Microsoft 365 admin center or Entra admin center, or cannot perform admin consent:
- Microsoft’s Data Protection team must be engaged to verify identity and restore administrator access.
- This is done by opening a support request through Microsoft support (for business tenants, typically via the Microsoft 365 Admin Center or by calling the regional support number). The Data Protection team has specific processes to validate ownership and recover admin access when an organization is locked out.
- Community tools and Q&A cannot perform this recovery; it must go through Microsoft support.
Once Microsoft support restores Global Administrator functionality, admin consent can be granted as described above and “Need admin approval” errors for enterprise apps like Calendly will be resolved.
References:
- Troubleshoot consent issues in Microsoft Entra ID
- Unexpected error when performing consent to an application
- Problems signing in to a Microsoft application
- Corporate account apps registration error: AADSTS90094 - Microsoft Q&A
AI-generated content may be incorrect. Read our transparency notes for more information. - Verify effective admin role and tenant