Back to App button not working after getting request approved from Admin

Vineet Kumar 11 Reputation points
2020-05-05T04:57:27.413+00:00

We have made settings in azure portal to not allow Users to give Consent to apps accessing company data on their behalf (but through Admin only). So, if a User wants to give consent, a request is sent to Admin for approval.

The issue is that when Admin approves the request and User clicks "Back to App" button, he gets error that User declined to consent the app. Microsoft post below error code to our Redirect API:

https://<Redirect_API_URL>?error=access_denied&error_subcode=cancel&state=<application_base url>&
error_description=AADSTS65004%3a+User+declined+to+consent+to+access+the+app.

It seems like "Back to App" button is behaving like "Cancel" button.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,441 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Mason Stricklin 6 Reputation points
    2020-09-15T01:43:51.967+00:00

    I am also encountering the "Back to App" issue. Not sure how to handle this. I don't want to overwrite the AADSTS65004 error message, because a user can hit this error and have it be the correct error.

    I am considering displaying the AADSTS65004 error message alongside another message that says "admin authorization required." However, this isn't ideal. I would be displaying 2 error messages where only 1 is correct.

    1 person found this answer helpful.
    0 comments No comments

  2. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2020-05-05T11:58:49.777+00:00

    @Vineet Kumar , You are correct. I did test the same and I do see the same error.Probable cause for this is when you are hitting the "Back To App" the user still doesnt have a valid token with proper consented permissions in it to access the app and hence AAD is still denying the access with that error. But after the Global Admin have given its consent, the user can use another tab in that same browser window and access the app, and he should be able to reach the app as that new request would have the new token/code issued to the user after verifying the permissions and consents on those permission from the request the user has shared.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


  3. Luis Leon - MSFT 6 Reputation points Microsoft Employee
    2020-05-14T15:41:57.167+00:00

    @Vineet Kumar , thanks for the feedback around the "Back to App" button. This is the first time we see the feedback, so we're going to monitor and see if this is a common problem for customers. If you want to check the behavior, you can try to consent to https://developer.microsoft.com/en-us/graph/graph-explorer.

    As @soumi-MSFT mentioned, the end-user isn't expected to wait on that screen until the Admin provides the admin consent. They are expected to leave and come back once their request has been approved.

    Regarding the problem you mentioned where even if you grant admin consent, the end-user gets getting prompted for consent. This may be because in the sign in request, you continue asking for consent even when the Admin has already granted consent. You have this query in the URL: prompt=consent

    https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent