Share via

Multi-tenant app consent not working: users get “admin approval required” error after admin consent link used.

mmchaabani 0 Reputation points
2025-06-30T08:23:58.65+00:00

Hello,

I am integrating Microsoft Entra ID (Azure AD) authentication into my application. The app is registered as multi-tenant, and the code works as expected.

My client has their own Microsoft Entra tenant, and I want to let their entire organization sign in using their own accounts. To do this, I generated an admin consent link:

https://login.microsoftonline.com/<TENANT_ID_OR_DOMAIN>/adminconsent?client_id=dee37824-a1e6-42c1-b3c5-b24998e106c8&redirect_uri=<redirect URI>

My client’s global admin used this link, accepted the consent screen, and was redirected to the redirect URI successfully. In their portal, my application appears under Enterprise Applications.

However, when one of their users tries to sign in to my application, they still see an error saying they do not have permission to access the app.

Could you please help me understand why this is happening, whether additional settings are needed (such as API permissions, cross-tenant settings), or whether something is missing on the client tenant side?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Martin Egli 435 Reputation points
    2025-07-03T14:22:20.36+00:00

    Hi mmchaabani,

    You're on the right track with multi-tenant setup and admin consent. Since the app appears in Enterprise Applications after the admin accepted the consent screen, it means the service principal was successfully created in your client’s tenant. However, the issue your users are facing ("admin approval required") usually points to missing or incorrectly configured API permissions or tenant settings.

    Checklist to Resolve the Issue

    1. Check Required Permissions and Grant Type

    Ensure the app registration has delegated permissions (not just application permissions) for Microsoft Graph or any other APIs your app uses.

    Then confirm:

    • Admin consent was granted for all required delegated permissions

    No additional permissions were added after the admin consent (those wouldn’t be granted automatically)

    You can reissue admin consent using the same link if new permissions were added.

    1. Check Client Tenant Settings (Microsoft Entra ID > Enterprise Applications)

    In your client’s tenant:

    Go to Microsoft Entra > Enterprise Applications > Your App > Permissions

    Ensure "User assignment required?" is disabled

    If enabled, you must assign each user manually.

    If disabled, the app should be usable by all users.

    1. Verify Cross-Tenant Access Settings (Optional)

    If your app uses custom APIs or you are calling Microsoft Graph with high-privilege scopes (like User.ReadWrite.All, Directory.Read.All, etc.), their tenant might have restricted cross-tenant access policies under:

    Microsoft Entra > External Identities > Cross-tenant access settings

    Ensure inbound access is allowed for your tenant/app or users

    1. Double-check Redirect URI Matching

    Ensure the redirect_uri used during admin consent matches exactly the one used during user login flow. A mismatch might cause permission denial in some flows.

    Summary

    Checkpoint Status Needed
    Admin granted consent for all scopes
    Admin granted consent for all scopes
    "User assignment required" is disabled
    App uses delegated permissions
    Cross-tenant access allows your tenant ✅ (optional for high-priv scopes)
    Redirect URI matches login flow

    Let me know if you want help validating the permission scopes or generating the correct consent URL.

    Martin

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.