"Approval required" showing even though admin consent has been granted for the whole tenant

Guillaume 0 Reputation points
2025-01-24T18:34:53.73+00:00

The issus is similar to this one but the answer does not apply to my situation.

**
Here is the situation :**
I am software developper. I am developing an integration with microsoft to fetch outlook mails from Microsoft Graph API. I created an app registration in my Azure account, and my users are supposed to install it as enterprise application in their own tenant to use the integration. It works well for personal outlook accounts, and also for most of organisation that are opened to installing application withouth admin consent.

One of my user is strict in terms of security and selected "Do not allow user consent" for the "Configure whether users are allowed to consent for applications to access your organization's data" input in his Azure tenant.

When one of his user requests access, he receives the requests and successfully approves it. But Then, when the user tries to signin again with his account, the request access screes shows again... just like if the admin had not approved. The azure logs in his tenant says "Admin consent is required for the permissions requested by this application. An admin consent request may be sent to the admin."

The admin of this organisation showed me that he approved the application, and the permission looks good. see the screenshot for more context on his application configuration
Screenshot 2025-01-24 at 19.28.21

Screenshot 2025-01-24 at 19.28.11

Screenshot 2025-01-24 at 19.29.01

Screenshot 2025-01-24 at 19.32.27

What should I do on my application registration, or what the user should do on his enterprise application side ?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,987 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,141 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Vasil Michev 112.9K Reputation points MVP
    2025-01-25T15:41:58.0266667+00:00

    Are they requiring user assignment for the app? If that option is toggled, consent will always be triggered, it's a known issue that Microsoft is yet to address. Here's a reference article where it's mentioned: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal

    0 comments No comments

  2. Guillaume 0 Reputation points
    2025-01-27T11:02:49.5433333+00:00

    I feel stupid... It was not related to the Azure configuration per say. It was an additional parameter i didn't see in the initialisation of the Authentication on the server.

    I was using passeport-microsoft strategy and this change solved the issue :

    authenticate(req: any, options: any) {
        options = {
          ...options,
          accessType: 'offline',
          prompt: 'select_account',  // previsously was 'consent'
          loginHint: req.params.loginHint,
          state: JSON.stringify({
            transientToken: req.params.transientToken,
            redirectLocation: req.params.redirectLocation,
            calendarVisibility: req.params.calendarVisibility,
            messageVisibility: req.params.messageVisibility,
          }),
        };
    
        return super.authenticate(req, options);
      }
    

    this helped me find out

    0 comments No comments

  3. Givary-MSFT 35,216 Reputation points Microsoft Employee
    2025-01-27T12:42:44.9966667+00:00

    @Guillaume I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: "Approval required" showing even though admin consent has been granted for the whole tenant

    Resolution: Resolved by @Guillaume

    It was not related to the Azure configuration per say. It was an additional parameter i didn't see in the initialisation of the Authentication on the server.

    I was using passeport-microsoft strategy and this change solved the issue :

    authenticate(req: any, options: any) {
        options = {
          ...options,
          accessType: 'offline',
          prompt: 'select_account',  // previsously was 'consent'
          loginHint: req.params.loginHint,
          state: JSON.stringify({
            transientToken: req.params.transientToken,
            redirectLocation: req.params.redirectLocation,
            calendarVisibility: req.params.calendarVisibility,
            messageVisibility: req.params.messageVisibility,
          }),
        };
        return super.authenticate(req, options);
      }
    

    Reference: https://learn.microsoft.com/en-us/answers/questions/1342884/azure-authentications-approval-required

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.