This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 71%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGN%3C/text%3E%3C/svg%3E)
Hello,
We recently started developing a small web app using Blazor. We chose Blazor server app and want to have kind of an automatic log-in for users in the future, so for that purpose we chose to use Microsoft Entra ID as we already have it configured in our organization.
We did everything according to this tutorial. We created a Blazor application, registered it to our Entra ID tenant using msidentity-app-sync tool as instructed in the guide. Everything went fine, we see the app registered in Entra ID administration panel, and now, once we run the project on our local machine, we get redirected to Microsoft log-in screen. After inputting user credentials and proceeding, we get an error message saying "Need admin approval" (attaching a screenshot too).
We are a bit in a deadend here, as it is not really clear, what needs to be done here. What kind of permissions or to whom we need to grant them to prevent this?
Any kind of help will be greatly appreciated!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Gvidas Šniolis ,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
@Gvidas Šniolis
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Could you please check your scope of permission in appsettings? By default there only user.read scope
and make sure that you configured AzureAd settings
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "localhost",
"TenantId": "tenant id",
"ClientId": "client id",
"ClientSecret": "client secret",
"ClientCertificates": [
],
"CallbackPath": "/signin-oidc"
},
"DownstreamApi": {
"BaseUrl": "https://graph.microsoft.com/beta",
"Scopes": "user.read"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*"
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
This is a message from azure login and controlled by the application configuration in azure ad. To use the azure token to access resources on the behalf of the user, the azure admin must grant the application these rights. In addition the user must authorize the application, but the azure admin may pre-grant this authorization. for you app to access resources, you must configure api access, and assign to a scope. on login the app needs request this scope.
.NET 5.0 not supported anymore. How to update from source code?