Admin Approval Required Issue Across Multiple Apps

Question

Hi everyone,

We’ve been running into an issue across multiple apps (Missive, Zapier, Granola) where users are blocked with an “admin approval required” prompt when trying to connect within our Microsoft environment.

We’ve already tried a few common fixes (reviewing enterprise app permissions, checking user consent settings, and attempting admin consent flows), but the issue is still persisting.

What we’re seeing:

• Users are prompted with “Need admin approval” when signing into apps
• This is happening across multiple third-party integrations, not just one app
• Even after attempting admin approval, access is still inconsistent or blocked

What we’re trying to understand:

• Are there specific Azure AD / Entra ID settings that commonly block these apps even after admin consent?
• Is there a recommended best practice for enabling org-wide access to trusted apps like Zapier or Missive?
• Could conditional access policies or security defaults be interfering with these approvals?

If anyone has run into this or has guidance on the correct admin-side configuration, we’d really appreciate the help.

Thanks in advance!

Answer 1

Hey Allyssa,

It sounds like you’re seeing the “Need admin approval” prompt across multiple third-party integrations (Missive, Zapier, Granola) even after you’ve run admin-consent flows. In my experience the usual suspects are:

1. User consent settings still blocking non-verified apps
2. Admin consent not fully applied at the service-principal level
3. Conditional Access or Security Defaults kicking in post-login
4. “User assignment required” turned on for the enterprise app

Here’s a step-by-step you can try:

1. Verify and re-grant tenant-wide admin consent – In the Azure portal go to Azure AD → Enterprise applications – Open each affected app, choose “Permissions” (or “API permissions”), then click “Grant admin consent for <YourTenant>” – Confirm all delegated and application permissions show as Granted
2. Check your user-consent policy – Azure AD → Enterprise applications → User settings – Ensure “Users can consent to apps accessing company data on their behalf” is set to the level you want (All apps, selected apps, or none) – If you’ve locked down broad consent, consider pre-approving trusted apps via an admin-consent workflow or custom consent policy
3. Review “User assignment required” – In Enterprise applications → select the app → Properties → set “User assignment required?” to No if you want org-wide access – Alternatively, assign the “All Users” group (or specific groups) under Enterprise applications → Users and groups
4. Troubleshoot Conditional Access / Security Defaults – Go to Entra ID (Azure AD) → Sign-in logs – Find a failed sign-in for one of your test users, open the “Conditional Access” tab and see which policy blocked the session – If your policy is scoped to “All cloud apps,” either exclude these apps by name or narrow the policy scope to only cover Microsoft apps – Remember Security Defaults (if enabled) enforce basic CA rules too—consider disabling them if you’re managing your own CA policies
5. Test again with one user, verify they no longer see the admin prompt

References

1. Configure how end-users consent to applications (user-consent settings) https://docs.microsoft.com/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal#user-consent-settings
2. Grant tenant-wide admin consent to an application https://docs.microsoft.com/azure/active-directory/manage-apps/grant-admin-consent
3. Configure the admin consent workflow https://docs.microsoft.com/azure/active-directory/manage-apps/configure-admin-consent-workflow
4. Troubleshoot consent issues in Microsoft Entra ID https://learn.microsoft.com/troubleshoot/entra/entra-id/app-integration/troubleshoot-consent-issues?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#summary
5. Conditional Access sign-in logs and policy troubleshooting https://docs.microsoft.com/entra/identity/conditional-access/sign-in-log
6. Require user assignment for enterprise apps https://docs.microsoft.com/azure/active-directory/manage-apps/assign-user-or-group-access-portal#configure-an-application-to-require-user-assignment

Hope this helps get things unstuck—let me know how it goes or if you hit any new roadblocks!

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

Answer 2

The behavior described matches Microsoft Entra consent and access controls blocking or re-prompting for consent across multiple apps. Several tenant and app-level settings can cause this, even after an admin has attempted consent.

Key areas to check and typical fixes:

1. Confirm admin consent is actually granted for each app
   • In Microsoft Entra admin center, for each affected app:
     • Go to Identity → Applications → Enterprise applications → [App] → Permissions.
     • Verify that the required delegated/application permissions are listed as Granted for [tenant].
   • If not, a Global/Privileged Role Administrator should explicitly select Grant admin consent for [Organization].
   • If using app registrations directly, the same can be done under App registrations → [App] → API permissions → Grant admin consent.
   • Missing admin consent is a primary cause of “Need admin approval” and AADSTS65001/AADSTS90094-type errors.
2. Check if user assignment is required for the enterprise apps
   • Even with tenant-wide admin consent, users can still be blocked if the app requires assignment:
     • Go to Microsoft Entra ID → Enterprise applications → [App] → Properties.
     • Check User assignment required? / Assignment required.
     • If set to Yes, either:
       • Set it to No to allow all users, or
       • Explicitly assign users or groups under Users and groups.
   • If this is enabled and users are not assigned, they will see errors like “User is not assigned to a role for the application” and effectively be blocked even though consent was granted.
3. Verify tenant-wide user consent settings and admin consent workflow
   • If user consent is disabled or restricted, non-admin users will be blocked from granting consent and see “Ask your admin” prompts.
   • In such cases, ensure:
     • Admin consent has been granted as above, and
     • If using the admin consent workflow, users are actually submitting requests and admins are approving them.
   • After approval, users should no longer see the consent dialog unless the app requests new permissions.
4. Check for incremental/dynamic consent and new permissions
   • Many apps (including third-party SaaS) use incremental/dynamic consent to request additional scopes later.
   • If the app adds or changes permissions after initial consent, users can see new prompts or “Need admin approval” again.
   • For each affected app:
     • Compare the current permissions requested by the app with what is already consented.
     • If new scopes appear, an admin must grant consent again.
5. Ensure the app is not forcing consent every sign-in
   • Some apps are configured to always show a consent prompt (for example, by using prompt=consent or similar behavior).
   • This is not best practice and can conflict with org policies where user consent is disabled.
   • If an app continues to prompt users even after admin consent is granted, contact the app publisher to confirm there is no setting that forces user consent on every sign-in.
6. Confirm a service principal exists and is correctly configured
   • For each client app, there must be a corresponding Enterprise application (service principal) in the tenant.
   • If the service principal is missing or misconfigured, consent and token acquisition can fail with admin-approval errors.
   • Ensure the app appears under Enterprise applications and that permissions and assignment settings are configured there.
7. Consider conditional access and security policies as a separate layer
   • Conditional Access policies do not directly cause consent prompts, but they can block sign-in or token issuance after consent, leading to an impression that consent “didn’t work.”
   • Common issues:
     • Device compliance requirements
     • Location-based restrictions
     • Risk-based policies
   • If users are blocked after consent, review Conditional Access policies targeting:
     • The specific cloud apps/resources the third-party app is calling (for example, Microsoft Graph, SharePoint, OneDrive), or
     • “All cloud apps.”
   • Work with the Entra administrator to either:
     • Ensure clients meet the policy requirements, or
     • Exclude the app or relevant service principals from specific policies where appropriate.
8. Org-wide enablement best practices for trusted apps
   • For apps like Zapier or Missive that should be broadly available:
     1. Have a Global/Privileged Role Administrator perform tenant-wide admin consent for all required permissions.
     2. Ensure User assignment required is set to No for the enterprise app, unless access must be restricted to specific groups.
     3. If user consent is disabled tenant-wide, rely on admin consent only and avoid apps that force per-user consent each time.
     4. Periodically review the app’s permissions; if the vendor adds new scopes, repeat admin consent.
9. Common root causes to check first in this scenario
   • User consent disabled + app forcing user consent.
   • Admin consent granted only for some scopes, but app later requests additional scopes.
   • User assignment required enabled but users/groups not assigned.
   • Missing or misconfigured service principal for the app.

Following these checks across each affected app typically resolves persistent “Need admin approval” prompts and inconsistent access after admin consent.

---

References:

• Troubleshoot consent issues in Microsoft Entra ID
• Unexpected consent prompt when signing in to an application
• Overview of user and admin consent
• Consent experience for applications in Microsoft Entra ID
• Authentication
• Problems signing in to a Microsoft application
• Corporate account apps registration error: AADSTS90094 - Microsoft Q&A