App using only delegated permissions requires admin approval

Question

I have an application configured as a desktop client for both AD and personal accounts with IMAP.AccessAsUser.All, POP.AccessAsUser.All, SMTP.Send, and offline_access permissions. All of these are delegated permissions listed as not requiring admin consent. However, a user with an AD account has attempted to sign in and has received a screen with the message "Need admin approval", saying that the app "needs permission to access resources in your organization that only an admin can grant". Is this correct? Can organizations require that applications be approved even when none of the requested permissions should require it?

Answer 1

Hi @Sean Burke ,

App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.

Certain delegated permissions also require a tenant administrator’s consent.

Please refer to this document for more information.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Answer 2

Can organizations require that applications be approved even when none of the requested permissions should require it? It appears they can. I'm not sure this is causing the issue in your case but it's something you could investigate.

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal&pivots=portal#configure-user-consent-settings

Answer 3

Is your app publisher verified? By default requests from non-verified multi-tenant apps are put in the "risky" bin and will require admin consent: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-risk-based-step-up-consent