How to grant admin consent for a application once, so that all the users in the organization didn't get prompted for admin consent?

Question

Issue Summary: Unexpected Consent Prompts for Non-Admin Users

Background

• Admin Consent via Endpoint:
  When granting tenant-wide admin consent using the dedicated URL:
  https://login.microsoftonline.com/common/adminconsent?client_id=[client_id]
  non-admin users are still being prompted to provide consent during sign-in.
• Alternate Endpoint Tried:
  I also tried using:
  https://login.microsoftonline.com/{tenantId}/adminconsent?client_id=[client_id]&redirect_uri={myurl}
  In both cases, when I followed these URLs, I was prompted to accept consent, which I did using an admin account.

Problem Statement

• OAuth Flow for Non-Admin Users:
  When triggering the OAuth flow for a non-admin user using:
  https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=[client_id]&response_type=code&redirect_uri=https://www.google.co.in/&response_mode=query&scope=Calendars.ReadWrite OnlineMeetingTranscript.Read.All User.Read.All offline_access&state=12345
  the user is again being asked to provide admin consent, even though all the scopes listed here have already been granted by an admin.

Question

• Why is the non-admin user being prompted for consent again despite the scopes being previously approved by an admin?

Answer 1

@Gurutej Nettalam Hello

I have seen this case before so many developers once upon a time had this issue, I'm going to share you somethings you can double check;

If non-admin users are still being prompted for consent despite an admin granting tenant-wide admin consent, here are a few things to check:

1. Verify Admin Consent Has Been Granted Correctly

Ensure that the admin consent was successfully applied. To check:

• Go to Azure Portal → Azure AD → Enterprise Applications.
• Locate your application.
• Go to Permissions → Check "Admin consent granted" for the required permissions.

If the permissions show "Not granted," then the consent was not applied correctly.

2. Confirm That the Permissions Were Granted Tenant-Wide

• If you used:

bash
CopyEdit
https://login.microsoftonline.com/{tenantId}/adminconsent?client_id=[client_id]&redirect_uri={myurl}

This should grant admin consent tenant-wide. However, confirm that the permissions granted match the ones requested in the OAuth flow.

3. Check for Additional Required Permissions

• If new permissions were added after admin consent was granted, non-admin users will be prompted again.
• Ensure that all permissions (including "Calendars.ReadWrite", "OnlineMeetingTranscript.Read.All", etc.) are granted admin consent.

4. Verify Conditional Access and User Consent Settings

• In Azure AD → Enterprise Applications → Consent and Permissions, check:
  • If "Users can consent to apps accessing company data on their behalf" is disabled, users will require admin approval for any new permissions.
    • If a Conditional Access Policy is requiring additional approval, this could trigger new consent prompts.

5. Re-Grant Admin Consent via PowerShell

If the admin consent process via the URL isn't working as expected, you can try granting admin consent via PowerShell:

powershell
CopyEdit
Connect-AzureAD
$servicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '[client_id]'"
$permissions = $servicePrincipal.Oauth2Permissions
New-AzureADServicePrincipalConsent -ObjectId $servicePrincipal.ObjectId -ConsentType "AllPrincipals" -PrincipalId $null -ResourceId $servicePrincipal.ObjectId -Scope "Calendars.ReadWrite OnlineMeetingTranscript.Read.All User.Read.All offline_access"

Replace [client_id] with your actual application ID.

6. Check App Registration API Permissions

• Go to Azure AD → App Registrations → Select your app.
• Under API Permissions, verify that all required permissions have admin consent granted.
• If not, click Grant admin consent for <TenantName>.

7. Ensure There Are No App Updates That Require Re-Consent

• If the app developer updated the permissions in their manifest or API scopes, Azure AD may require users to re-consent.If non-admin users are still being prompted for consent despite an admin granting tenant-wide admin consent, here are a few things to check:
  1. Verify Admin Consent Has Been Granted Correctly
  Ensure that the admin consent was successfully applied. To check:
  • Go to Azure Portal → Azure AD → Enterprise Applications.
  • Locate your application.
  • Go to Permissions → Check "Admin consent granted" for the required permissions.
  If the permissions show "Not granted," then the consent was not applied correctly.
  2. Confirm That the Permissions Were Granted Tenant-Wide
  • If you used:

        bash
        CopyEdit
        https://login.microsoftonline.com/{tenantId}/adminconsent?client_id=[client_id]&redirect_uri={myurl}
    

    This should grant admin consent tenant-wide. However, confirm that the permissions granted match the ones requested in the OAuth flow.
  3. Check for Additional Required Permissions
  • If new permissions were added after admin consent was granted, non-admin users will be prompted again.
  • Ensure that all permissions (including "Calendars.ReadWrite", "OnlineMeetingTranscript.Read.All", etc.) are granted admin consent.
  4. Verify Conditional Access and User Consent Settings
  • In Azure AD → Enterprise Applications → Consent and Permissions, check:
    • If "Users can consent to apps accessing company data on their behalf" is disabled, users will require admin approval for any new permissions.
    • If a Conditional Access Policy is requiring additional approval, this could trigger new consent prompts.
  5. Re-Grant Admin Consent via PowerShell
  If the admin consent process via the URL isn't working as expected, you can try granting admin consent via PowerShell:

    powershell
    CopyEdit
    Connect-AzureAD
  

$servicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '[client_id]'" $permissions = $servicePrincipal.Oauth2Permissions New-AzureADServicePrincipalConsent -ObjectId $servicePrincipal.ObjectId -ConsentType "AllPrincipals" -PrincipalId $null -ResourceId $servicePrincipal.ObjectId -Scope "Calendars.ReadWrite OnlineMeetingTranscript.Read.All User.Read.All offline_access"

  
  Replace `[client_id]` with your actual application ID.
  
  6. **Check App Registration API Permissions**
  
  - Go to **Azure AD** → **App Registrations** → Select your app.
  
  - Under **API Permissions**, verify that all required permissions have **admin consent granted**.
  
  - If not, click **Grant admin consent for <TenantName>**.
  
  7. **Ensure There Are No App Updates That Require Re-Consent**
  
  - If the app developer updated the permissions in their manifest or API scopes, Azure AD may require users to re-consent.
  
😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!