Application requires admin consent, it keeps getting approved but nothing

Question

Hello,

One of our enterprise clients on Microsoft is trying to do the OAuth flow for our application ID but is facing an approval wall.

The user is prompted with the window 'Approval required'. They fill in the 'Enter justification for requesting this app' and click 'Request approval'. It goes to their Microsoft 365 admin who approves it (they have done it a dozen times already), but the user can still not log in.

On the other hand, when an admin tries to log in, they have the option 'Consent on behalf of your organization' and can then connect successfully. But the normal user still nothing, they keep having the Microsoft 'Approval Required' form.

Our application is requesting the following scopes: [ 'offline_access', 'openid', 'profile', 'EWS.AccessAsUser.All', 'Mail.ReadWrite', 'Mail.Send', ]

We are making the OAuth process via the URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=consent

We use ?prompt=consent as described here: https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant#admin-consent

In "App Registrations > Manage > Authentication" on Azure Portal we have selected "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)".

Could you be guide us into what is the issue leading our user not being able to log in? It is not the only one who has this issue (already the fourth one). It is very frustrating.

Answer 1

Since admins can log in successfully, it suggests that consent is still required at an organizational level. Try granting consent for all users explicitly:

1. Have the Microsoft 365 admin visit this URL (replace {tenant_id} with the client's tenant ID and {client_id} with your application ID):com/{tenant_id}/adminconsent?client_id={client_id}

      https://login.microsoftonline.com/{tenant_id}/adminconsent?client_id={client_id} 
   

2. The admin should grant consent for the entire organization instead of per-user approval.
3. Once this is done, users should be able to authenticate without hitting the approval screen again.

Also, you need to check this;

Even after approval, users may not have proper access due to an issue in Enterprise Applications.

• In Microsoft Entra ID > Enterprise Applications, find your application.
• Under Permissions, check if the requested permissions are granted organization-wide.
  • If permissions still show "Needs admin approval", try re-granting them at the Admin consent section.

Your OAuth URL currently uses prompt=consent. This forces the user to see the consent prompt every time, which may be problematic if the user's consent is not stored properly. Try removing it and using the default behavior.

Instead of:

bash
CopyEdit
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=consent

Use:

bash
CopyEdit
https://login.microsoftonline.com/common/oauth2/v2.0/authorize

This ensures that the process does not unnecessarily force a consent prompt.

Answer 2

Hi Jose,

Thank you for your quick reply. Much appreciated.

(1) Regarding the tenant ID in the URL, how can this be done, considering that we are a third-party application? We do not know what is the tenant ID of the organization connecting. They click on "Connect" and immediately get redirected to Microsoft for the OAuth flow.

(2) If we do not include the ?prompt=consent there will be an error message. Please review this article: https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant#admin-consent so does that mean we need 2 buttons: one for admins that passes ?prompt=consent then another one for the actual users?

Answer 3

Hello @Ron Danenberg,

We understand that you are encountering an issue where users are prompted for "Approval Required", even after the admin has approved the request.  

There might be several reasons which are causing this behavior for example: 

Since the users are not able to log in after the admin consent, it's possible that the admin consent hasn't been granted to the correct scope for all users. Since an admin can log in with "Consent on behalf of your organization" suggests that the permissions were granted for the admin but not for regular users. So, you need to have admin grant consent for the app on behalf of the organization explicitly. 

• Further, verify that the permissions you're requesting match with what users can consent to. You can see this under the API permissions section in the Azure portal. You can try to ensure that the permissions are properly configured for your multi-tenant app. Some permissions might need to be explicitly granted by the admin for the organization. If these are not properly consented to by the admin, the users will continue to see the "Approval Required". 

Sharing relevant document for more information. 

Hope this helps. Do let us know if you any further queries.

Answer 4

I have this same problem. I have been tasked with making this admin consent flow to work in my app. I have seen the option to use the link for the admin to give consent for everyone but we have some security conscious customers that don't want to do that. https://login.microsoftonline.com/{tenant_id}/adminconsent?client_id={client_id}My customer gets logged in and sees this screen.

They enter the justification and click request approval.

Then the user clicks the "Back to app". When they are redirected back to my app I get this request. https://my-app.com/oauth/authorized?error=access_denied&error_subcode=cancel&state={state}d&error_description=AADSTS65004%3a+User+declined+to+consent+to+access+the+app.

As far as my app knows they declined consent. But the email gets sent to the admin. They approve the consent, then the user gets an email saying the admin gave consent.

How do I continue from here and finish this flow after consent is given?