Share via

How Can i remove the admin consent popup for users who are not global admin, When users perform SSO admin consent popup appears which i don't want

Charles Kiss 20 Reputation points
2025-03-14T04:10:07.84+00:00

Team I have setup sso on WP site using OAuth OIDC Plugin with MS ENtra ID, and want the suers to perform SSO with accepting the admin cionsent, I have added permission where Admoin consent is not required, see Email, Openid and Profile just 3 permission still my other users getting popup for admin consent approval, Can we remove this or is this a mandatory popup that needs to eb accepted by Global admin people???

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Raja Pothuraju 23,800 Reputation points Microsoft External Staff Moderator
    2025-03-14T06:33:10.7833333+00:00

    Hello @Charles Kiss,

    Based on your description, I understand that you have registered an application in App Registrations and added Email, OpenID, Profile API permissions. These permissions show "Admin consent not required" when added through the portal. Please refer to the screenshot below to confirm that I am on the same page.

    User's image It appears that when users access the application, they are prompted with a consent screen asking them to accept the permissions. Please see the screenshot below.

    I tested obtaining an ID token using the email, openid, and profile scopes in the request:

    https://login.microsoftonline.com/xxxxxxxx-9e9b-4da0-xxxx-cf13bbfxxxx/oauth2/v2.0/authorize?client_id=xxxxxxx-1f81-xxxx-9161-xxxxxxxx&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=email+openid+profile&response_type=id_token

    User's image

    In this scenario, this behavior is expected the first time a user accesses the application because a global admin has not yet granted consent to these APIs or scopes.

    Why do these APIs show "Admin consent required: No," and what is the difference between "No" and "Yes" in admin consent requirements?

    If an API has "Admin consent required: No," users in your tenant can self-consent to these APIs by clicking "Accept" on the consent screen when they log in for the first time. After accepting, they will not see the consent prompt again for subsequent logins.

    If an API has "Admin consent required: Yes," users cannot consent on their own. Only an admin can grant consent to the application. If the admin has not granted consent, users will see a prompt stating that Need admin approval.

    User's image

    To prevent users from seeing the admin consent screen when accessing the application for the first time, you need to grant admin consent to the APIs. You can do this by clicking "Grant admin consent for [Your Organization]" in the API permissions section of the application. See the screenshot below for reference.

    User's image

    Once admin consent is granted, users will no longer see the consent prompt when they log in.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.