This app requires your admin's approval to

Daniel Kuschny 20 Reputation points


I have a similar problem like many people have when using App Registrations and Enterprise Apps: The login fails with a message requiring admin, even though you have things configured that a user should be able to consent Admin Consent

My settings all indicate that no admin consent should be needed.

  1. The Tenant is configured to allow users to consent for verified publishers, for selected permissions. Consent Settings
  2. The Microsoft Graph Scopes for various permissions are classified as low. Classification
  3. My App Registration and Enterprise App are both in the same tenant defining those settings above.
  4. My App Registration defines various pemissions as delegated and no consent required. API Permissions
  5. The Enterprise App has "Assignment required?" set to "Yes" as only selected users should have access.
  6. The Enterprise App has users and groups assigned with the "Default Access" (users directly in groups)
  7. The software triggering the login uses core with OpenID using following settings:
  • Metadata Address: OpenID Connect metadata document as per Endpoints on the App Registration
    • ClientID: As shown in the Application (client) ID of the App registration
    • Client Secret: Added under Certificates & secrets
    • Authentication: HTTPS URI of the app added under Web > Redirect URIs
    • Response Type: code
    • Response Mode: query
    • Scopes: openid profile

The users can consent themselves if "Assignment required?" is set to "No". But IMO that settings shouldn't influence the consent check. I want users to consent themselves assuming they are granted access by assigning them via users and groups.
Assingment Required No

After login via "Assignment required? No" I see the User consent:

User Consent

I technically could add an own API scope and implement further authorizations in my app. But this feels double the effort.

What am I missing here?

Kind Regards

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,521 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
{count} votes

Accepted answer
  1. Vasil Michev 94,911 Reputation points MVP

    You have correctly identified the issue here, the "assignment" functionality currently clashes with consent requirements. Microsoft is aware of this and will likely address it in a future update.

0 additional answers

Sort by: Most helpful