Application stuck in an Approval Required consent loop (AADSTS90095)

Question

Application stuck in an Approval Required consent loop (AADSTS90095)

Kev 0

Hi! One of our clients continuously gets stuck during authentication at an "Approval Required" screen. Here they fill in a justification and "Request Approval." The admin on their account approves the request, but when the user logs in again they see the same screen.

The admin has tried:

granting admin consent for the application in the Permissions Entra screen
granting tenant-wide admin consent using the following URL: https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}
- after logging in the admin checked the option to "Consent on behalf of your organization"
- the admin was able to log in successfully, but users are not able to
the admin has also tried "Allow user consent for apps"

For more context, most people get a AADSTS90094 error. We are seeing an AADSTS90095 error**.**

Our app is requesting the scopes: [offline_access openid email profile User.Read Mail.ReadWrite MailboxSettings.ReadWrite Mail.Send]

We are making the OAuth process via the URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=consent

We use ?prompt=select_account for account creation and prompt=consent for reauthentication

Can someone help us solve this authentication issue.

Navya 17,825 Reputation points Microsoft External Staff

2025-04-14T19:37:06.3333333+00:00

Hi @Kev

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Navya 17,825 Reputation points Microsoft External Staff

2025-04-15T17:36:47.3933333+00:00

Hi @Kev

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

1 answer

Your answer

Navya 17,825 Reputation points Microsoft External Staff

2025-04-14T19:37:06.3333333+00:00

Hi @Kev

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Navya 17,825 Reputation points Microsoft External Staff

2025-04-15T17:36:47.3933333+00:00

Hi @Kev

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Vasil Michev 117.3K MVP

Is there any particular reason why you are adding the prompt=consent parameter to your authentication requests? This is what's most likely causing the behavior you are describing above. There is no need to ask for consent with each authentication request, moreover admin consent has been granted to the app, as you mentioned above.

Another thing to keep in mind is that if the application has been configured to require user assignment in the customer's tenant, this can also cause some "stuck" prompts. This behavior is detailed here: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal

Applications that requires users to be assigned to the application must have their permissions consented by an administrator, even if the user consent policies for your directory would otherwise allow a user to consent on behalf of themselves.

Kev 0 Reputation points

2025-04-09T17:29:48.2933333+00:00

Great question, I tried removing the prompt=consent in the OAuth URL and it still shows the Approval Required screen.

We don't require users to be assigned to the application - or at least not that I know of?
Vasil Michev 117.3K Reputation points MVP

2025-04-10T06:59:58.6333333+00:00

User assignment is configured on the service principal within the customer's tenant, so check with them whether this is toggled.

Share via

Application stuck in an Approval Required consent loop (AADSTS90095)

1 answer

Your answer