Share via

End users cannot authenticate to third-party app despite admin consent being granted

LoanOfficer AI Tech 20 Reputation points
2026-01-26T19:05:19.1133333+00:00

We have a multi-tenant application integrated with Microsoft Graph API that uses delegated permissions for Outlook Calendar and Email functionality.

Issue: One client organization has granted admin consent for our application (confirmed via email notification from Microsoft Security), but end users in that organization still cannot authenticate or access our application.

Context:

  • Multi-tenant Azure AD application using OAuth 2.0 authorization code flow
  • Required delegated permissions: Calendars.ReadWrite, Mail.Send, User.Read
  • Admin consent was successfully granted (confirmed via Microsoft Entra ID notification on January 13, 2026)
  • This issue only affects ONE client organization - all other clients can authenticate successfully
  • No errors appear in our application logs during authentication attempts

What We've Verified: ✓ Admin consent granted and confirmed ✓ Application is properly registered in our Azure tenant ✓ Same authentication flow works for 50+ other client organizations ✓ No authentication errors in our logs

Questions:

  1. What organizational-level policies could prevent end users from accessing a consented third-party application even after admin consent is granted?
  2. Which Conditional Access policies, Azure AD security defaults, or app governance settings should the client's IT team verify?
  3. Could Microsoft Defender for Cloud Apps policies block user access despite admin consent?
  4. What specific settings in the client's Microsoft Entra admin center should be checked to enable user authentication?

Troubleshooting Steps Attempted:

  • Verified the application appears in Enterprise Applications
  • Confirmed admin consent status shows "Granted"
  • Checked that no obvious Conditional Access policies are blocking

This appears to be a tenant-specific configuration issue rather than an application problem, as it's isolated to a single client organization.

Any guidance on what policies or settings could cause this behavior would be greatly appreciated.

Microsoft Security | Microsoft Identity Manager
0 comments
Answer accepted by question author
  1. Q&A Assist
    2026-01-26T19:05:32.47+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    There are several organizational-level policies and settings that could prevent end users from accessing a consented third-party application, even after admin consent has been granted. Here are some potential areas to investigate:

    1. User Consent Settings: The tenant administrator may have disabled user consent for applications. This means that even if admin consent is granted, users may still be blocked from accessing the application unless specific permissions are set up correctly.
    2. Conditional Access Policies: The client's IT team should verify if there are any Conditional Access policies that might restrict access to the application based on user location, device compliance, or other criteria. Policies that require multi-factor authentication (MFA) or block access from certain networks could also be factors.
    3. Azure AD Security Defaults: If security defaults are enabled, they may enforce certain security measures that could affect user access to applications. These defaults can include requiring MFA for all users, which might not be configured properly for the application.
    4. App Governance Settings: Microsoft Defender for Cloud Apps policies could potentially block user access if there are specific governance rules set that restrict access to third-party applications, even with admin consent.
    5. Enterprise Applications Configuration: The client should check the application's settings in the Microsoft Entra admin center to ensure that there are no restrictions on user assignments or that the application is not set to require user assignment for access.
    6. Permissions Review: Confirm that the permissions granted are appropriate and that no additional permissions are required for end users that were not included in the admin consent.

    Given that this issue is isolated to a single client organization, it is likely a configuration issue within their tenant rather than a problem with the application itself. The IT team should thoroughly review these settings to identify any potential blocks to user authentication.

    References:

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.