Are they requiring user assignment for the app? If that option is toggled, consent will always be triggered, it's a known issue that Microsoft is yet to address. Here's a reference article where it's mentioned: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal
"Approval required" showing even though admin consent has been granted for the whole tenant
The issus is similar to this one but the answer does not apply to my situation.
**
Here is the situation :**
I am software developper. I am developing an integration with microsoft to fetch outlook mails from Microsoft Graph API. I created an app registration in my Azure account, and my users are supposed to install it as enterprise application in their own tenant to use the integration. It works well for personal outlook accounts, and also for most of organisation that are opened to installing application withouth admin consent.
One of my user is strict in terms of security and selected "Do not allow user consent" for the "Configure whether users are allowed to consent for applications to access your organization's data" input in his Azure tenant.
When one of his user requests access, he receives the requests and successfully approves it. But Then, when the user tries to signin again with his account, the request access screes shows again... just like if the admin had not approved. The azure logs in his tenant says "Admin consent is required for the permissions requested by this application. An admin consent request may be sent to the admin."
The admin of this organisation showed me that he approved the application, and the permission looks good. see the screenshot for more context on his application configuration
What should I do on my application registration, or what the user should do on his enterprise application side ?
3 answers
Sort by: Most helpful
-
-
Guillaume 0 Reputation points
2025-01-27T11:02:49.5433333+00:00 I feel stupid... It was not related to the Azure configuration per say. It was an additional parameter i didn't see in the initialisation of the Authentication on the server.
I was using passeport-microsoft strategy and this change solved the issue :
authenticate(req: any, options: any) { options = { ...options, accessType: 'offline', prompt: 'select_account', // previsously was 'consent' loginHint: req.params.loginHint, state: JSON.stringify({ transientToken: req.params.transientToken, redirectLocation: req.params.redirectLocation, calendarVisibility: req.params.calendarVisibility, messageVisibility: req.params.messageVisibility, }), }; return super.authenticate(req, options); }
this helped me find out
-
Givary-MSFT 35,216 Reputation points Microsoft Employee
2025-01-27T12:42:44.9966667+00:00 @Guillaume I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue: "Approval required" showing even though admin consent has been granted for the whole tenant
Resolution: Resolved by @Guillaume
It was not related to the Azure configuration per say. It was an additional parameter i didn't see in the initialisation of the Authentication on the server.
I was using passeport-microsoft strategy and this change solved the issue :
authenticate(req: any, options: any) { options = { ...options, accessType: 'offline', prompt: 'select_account', // previsously was 'consent' loginHint: req.params.loginHint, state: JSON.stringify({ transientToken: req.params.transientToken, redirectLocation: req.params.redirectLocation, calendarVisibility: req.params.calendarVisibility, messageVisibility: req.params.messageVisibility, }), }; return super.authenticate(req, options); }
Reference: https://learn.microsoft.com/en-us/answers/questions/1342884/azure-authentications-approval-required
If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.