Login always shows "Need admin approval"

Question

Here is the scenario I want to support for my application and configuration in the Azure.

Scenario:

I want to add Microsoft sign-in to the Assetron web application. When a user initiates sign-in using Microsoft, they should be able to authenticate using their Microsoft work, school, or personal Microsoft email without admin approval or consent.

Azure Configuration:

"Tenant 1" (Publisher's tenant)

1. Created an app in the App Registrations.
2. Branding and properties is configured as follows:
   1. Added brand details like logo, placeholder terms of service, and privacy policy URLs.
   2. Supported account types in Authentication selected as "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)"
   3. The publisher domain is verified.
   4. Added MPN ID successfully. It shows the publisher display name with blue tick mark.
3. API permissions added are "opened", "email", "profile". These are "Delegated" permissions that do not require admin approval/consent.

"Tenant 2" (End user's tenant)

1. Under "Enterprise Applications -> User settings -> Consent and Permissions", the permission selected is "Allow user consent for apps from verified publishers, for selected permissions (Recommended) All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.
2. Under the "Enterprise Applications -> User settings -> Permissions Classifications", the 3 permissions added are openid, email, and profile.

Problem:

When I am trying to sign in using my Tenant 2's user account, I am seeing the message "Need admin approval". What am I missing? Since I am not requesting any permission that needs admin consent, why does the login process still show the message in the pop-up?

Answer 1

the other tenant may be requiring consent for all applications regardless of permissions requested.

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview#user-consent-settings

Answer 2

This is the standard troubleshooting doc: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/application-sign-in-unexpected-user-consent-prompt

and others:

https://stackoverflow.com/questions/60111863/azure-active-directory-needs-admin-approval-after-setting-prompt-consent

But.... If you login with a Global admin account and at the prompt view the permissions, verify the permissions you expect are being prompted for.

Answer 3

Hello @Ravi Patel,

In addition to the above information provided by @Andy David - MVP , I am providing you some additional steps which might be helpful in resolving your issue.

In certain scenarios, additional consent prompts can appear when a user attempts to sign-in.

Scenarios in which users see consent prompts

Further prompts can be expected in various scenarios:

• The application has been configured to require assignment. Individual user consent isn't currently supported for apps that require assignment; thus the permissions must be granted by an admin for the whole directory. If you configure an application to require assignment, be sure to also grant tenant-wide admin consent so that assigned user can sign-in.
• The set of permissions required by the application has changed by the developer and needs to be granted again.
• The user who originally consented to the application wasn't an administrator, and now a different (nonadmin) user is using the application for the first time.
• The user who originally consented to the application was an administrator, but they didn't consent on-behalf of the entire organization.
• The application is using incremental and dynamic consent to request further permissions after consent was initially granted. Incremental and dynamic consent is often used when optional features of an application require permissions beyond those required for baseline functionality.
• Consent was revoked after being granted initially.
• The developer has configured the application to require a consent prompt every time it's used (note: this behavior isn't best practice).

Note:

Following Microsoft's recommendations and best practices, many organizations have disabled or limited users' permission to grant consent to apps. If an application forces users to grant consent every time they sign in, most users will be blocked from using these applications even if an administrator grants tenant-wide admin consent. If you encounter an application which is requiring user consent even after admin consent has been granted, check with the app publisher to see if they have a setting or option to stop forcing user consent on every sign in.

Troubleshooting steps

Compare permissions requested and granted for the applications

To ensure the permissions granted for the application are up-to-date, you can compare the permissions that are being requested by the application with the permissions already granted in the tenant.

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
2. Browse to Entra ID > Enterprise apps > All applications.
3. Enter the name of the existing application in the search box, and then select the application from the search results.
4. Under Security in the left-hand navigation, choose Permissions
5. View the list of already granted permissions from the table on the Permissions page
6. To view the requested permissions, select the Grant admin consent button. This opens a consent prompt listing all of the requested permissions. Don't select Accept on the consent prompt unless you're sure you want to grant tenant-wide admin consent.
7. Within the consent prompt, expand the listed permissions and compare with the table on the permissions page. If any are present in the consent prompt but not the permissions page, that permission has yet to be consented to. Unconsented permissions may be the cause for unexpected consent prompts showing for the application.

View user assignment settings

If the application requires assignment, individual users can't consent for themselves. To check if assignment is required for the application, do the following:

1. On the application's page, Select Properties under Manage.
2. Check to see if Assignment required? is set to Yes.
3. If set to yes, then an admin must consent to the permissions on behalf of the entire organization.

Review tenant-wide user consent settings

Determining whether an individual user can consent to an application can be configured by every organization, and may differ from directory to directory. Even if every permission doesn't require admin consent by default, your organization may have disabled user consent entirely, preventing an individual user to consent for themselves for an application. To view your organization's user consent settings, do the following:

1. Navigate to the Enterprise applications page of the Microsoft Entra admin center.
2. Under Security, choose Consent and permissions.
3. View the user consent settings. If set to Do not allow user consent, users are never able to consent on behalf of themselves for an application.

I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".