Admin approval required

Emanuel Borsoi 156 Reputation points
2024-11-14T16:04:18.5366667+00:00

I have developed a web app, for the login I redirect to the microsoft page in order to get a JWT. In Azure I configured an app, with redirect uri and the MSGraph User.Read permission.

For the majority of the users it works fine. Just few users get the error pop up that an approval or an adminstrator is needed in order to access this app.

I have been working with Azure and AppRegistrations for years, this is the first time I see this problem.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,526 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Harshitha Eligeti 970 Reputation points Microsoft Vendor
    2024-11-16T06:10:02.7+00:00

    Hi @Emanuel Borsoi • 

    I understand that you're encountering an issue with specific users receiving a message that "an approval or an administrator is needed" when trying to access your web app via Microsoft Graph can stem from several factors related to permissions and user roles within Microsoft Entra ID. 
    Screenshot 2024-11-16 053910

    If users are receiving the consent prompt, they may be accessing the application with the prompt=consent parameter in the URL. When this parameter is included, the application will prompt for consent every time, even if consent has already been granted. 

    Since you mentioned that some users are seeing the consent prompt, I suggest reviewing the logs or checking the URL when the user is signing into the application to see if it includes prompt=consent. If this parameter is present, the user will be asked to grant admin consent each time they access the application, even if admin consent has already been provided in the Azure portal.   

    Screenshot (8)

    If the URL contains prompt=consent during sign-in, this will trigger the user to grant admin consent repeatedly. In this case, compare the permissions requested in the URL with the permissions that have been admin-consented to the application. 

    To resolve this issue, for more information, refer to these articles: Solved: "Need admin approval" or "Approval required" AADSTS90094 error during Microsoft sign-in

    https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal%22https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal%22   

    Hope this helps. Do let us know if you have any further queries.   

    Best Regards. 
    Harshitha Eligeti 

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.