Share via

Successfull Admin consent(to delegated graph permissions) but user is unable to consent to app, settings?

Hithesh Chowdary 21 Reputation points
2020-10-20T12:31:11.797+00:00

I have created an application in azure that fetches/puts Teams related data. Now users are not able to consent to this app. It always says require admin approval. I did follow admin consent flow

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-admin-consent

did this multiple times but except for that admin(me), no other user in the organization is able to consent to the app. Please help me out is there any additional setting I have to do. I checked the enterprise applications -> Allow user to consent to Applications as "Yes"

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
9,257 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,866 questions
Accepted answer
  1. soumi-MSFT 11,731 Reputation points Microsoft Employee
    2020-11-24T10:56:48.21+00:00

    Hello @Hithesh Chowdary , based on the troubleshooting we performed, I would like to share the summary with you and mention the fix here.

    • Issue: Getting the prompt to provide admin consent every time a user tries to login, though the consent has already been provided.
    • Cause: The admin consent screen coming with each login attempt is because of the fact that the request URL contained the prompt=consent as one of the URL parameters. This URL parameter explicitly throws the consent page and asks the user/admin to consent even though the consent is already provided.
    • Resolution: Remove the URL parameter prompt=consent from the request URL and things should start working normally.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

    1 person found this answer helpful.
    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 97,231 Reputation points MVP
    2020-10-20T12:49:50.08+00:00

    Some permissions are always limited to only admin users, there's no way to delegate them to "regular" users.

    0 comments
  2. JimmyYang-MSFT 49,441 Reputation points Microsoft Vendor
    2020-10-21T08:20:20.413+00:00

    Hi @Hithesh Chowdary ,

    Agree with michev! Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.

    https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#permission-types

  3. Calcul8or 6 Reputation points
    2020-11-05T04:29:16.977+00:00

    I'd really like an answer to this as well please.

    0 comments
  4. soumi-MSFT 11,731 Reputation points Microsoft Employee
    2020-11-05T06:24:59.797+00:00

    Hello @Hithesh Chowdary , I did some more research and it looks like an issue of illicit consent.

    This issue happens because of something called Risk-based Step-up consent.

    Risk-based step-up consent helps reduce user exposure to malicious apps making illicit consent requests. If Microsoft detects a risky end-user consent request, the request will require a "step-up" to admin consent instead. This capability is enabled by default, but it will only result in a behavior change when end-user consent is enabled.

    When a risky consent request is detected, the consent prompt will display a message indicating that admin approval is needed.

    So it is expected that this will happen to some apps if they meet our criteria. This is documented as one of the "unexpected consent errors" here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error#requesting-not-authorized-permissions-error

    AADSTS90093: <clientAppDisplayName> is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf.
    AADSTS90094: <clientAppDisplayName> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

    That said if this is a valid, non-malicious app we do want to make sure the developer is not blocked on this going forward

    In order to get them unblocked immediately, the consent request can be sent to an admin for review and potential approval

    References: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide

    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error#requesting-not-authorized-permissions-error

    I am looking for some more insights on this and I will keep you posted with the next set of details. For now, you can try two things:

    1. Try to make the app verified, by adding a verified domain to your tenant
    2. Try enabling the option:
      37605-adminconsent.png

    Option 2 is a tedious join for the admin to keep providing consent for the users, but if your user-base is a fixed one, then it would be a one-time thing for the admin. Moreover, the admin would only get a notification that someone is trying to access the app, and based on the justification, the admin can authorize that user’s access.

    For now, I have these options in hand. I will share more insights with you once I can get hands-on those.