Share via

Azure App Authentication: Non-admin Users Encounter 'Need Admin Approval' Error despite granting all admin-consent required permissions

Jislin 20 Reputation points
2024-11-26T06:23:19.4933333+00:00

We have an application registered in Microsoft Azure Active Directory. The app requires both admin-consent-required and non-admin permissions. Below are the configurations for the application:

Public Client Flow: Enabled

Permissions: Added, with all admin-consent-required permissions granted by the admin.

Allow User Consent for Apps: Enabled

Supported Account Types: Accounts in any organizational directory.(multi-tenant)

Despite these settings, when a non-admin user attempts to authenticate, they are presented with a "Need admin approval" error instead of the expected user consent workflow.

The permissions requested in the scope include:

offline_access
user.read.all
directory.read.all
channelSettings.read.all
group.read.all
groupMember.read.all
chatMember.read

Screenshot 2024-11-20 at 3.40.21 PM

The authorization URL used is:

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?client_id={client_id}&response_type=code&redirect_uri={redirect_uri}&response_mode=query&state={state}&scope=offline_access%20user.read.all%20directory.read.all%20channelSettings.read.all%20group.read.all%20groupMember.read.all%20chatMember.read

Problem: Instead of initiating the user consent workflow for non-admin users, the application prompts the "Need admin approval" message.

Is there any additional configuration required to ensure the user consent workflow is triggered?

PS: even though the auth url contains admin-consent required permissions, all of them have been granted, leaving only the user-grantable permissions.

Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Graph
0 comments
Accepted answer
  1. CarlZhao-MSFT 46,366 Reputation points
    2024-11-26T08:45:41.0266667+00:00

    Hi @Jislin

    If you have granted admin consent for the above permissions, the "Need admin approval" page will not pop up when users of this tenant log in to the authorization endpoint, unless you are logging in with users from other tenants.

    However, if the scope of the authorization URL contains "permissions that have been granted admin consent" and "permissions that do not require admin consent but have not been granted user consent", the expected user consent page will not pop up, but the "Need admin approval" page will pop up. This is because consent is specific to the entire scope, and when you try to grant user consent for those permissions that "do not require admin consent", it will require you to consent to all permissions in the scope. The solution is to use users to consent to these permissions that "do not require admin consent" separately. If all permissions in the scope have been consented, the consent page will not pop up again.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
    2024-11-26T07:29:42.2033333+00:00

    Are you requiring user assignment for said app? There is a known issue with consent and apps requiring assignment, as detailed for example here: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.