Having allowed user consent for apps, how do I determine why admin consent is still necessary for users to log in to the app?

Question

I've created an app into which I can log in with my account.

Certain parts of the app are intended for guest users to work with so I managed to get guest workers added via invites and having them added to the appropriate user groups.

Problem now is that the user that's been invited, can't log in on the app:

<Redacted> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

Having googled this message, I found azure-ad-app-need-admin-approval-error-app-needs-permission-to-access-resources on Stackoverflow which indicates that I need to make sure I'm granting user consent for apps (or enabling users to request consent from admin - this would be suboptimal, however).

In Azure > Enterprise applications > Consent and permissions > User consent settings, the selected option for "User consent for applications" is "Allow user consent for apps"

With that set, how do I determine what permission the app apparently needs that the user can't consent to? All App Permissions are granted admin consent so I'm at a loss.

Thanks in advance!

Answer 1

There are many permissions for which standard users can provide consent but if the application needs higher level permissions with which changes can be made to the directory, the message you copied is displayed and only the Global Administrator can grant those permissions. For example, granting "Directory.ReadWrite.All" requires admin consent.

This permissions article describes which directory permissions require admin consent. You can review permissions granted to apps under Enterprise Applications > Permissions.

If this is microsoft.com tenant, you can open a request here.

Let me know if this helps at all.

Answer 2

There are two questions you need to answer:

1. Why is consent required?
2. Why is the user unable to consent? ## Why is consent required?

In general, there are two reasons why consent might be required when a user signs in to an app:

• The app is requesting permissions which haven't been granted on behalf of the user signing in. Keep in mind that an application can dynamically request any permission, so it's possible the app is requesting a permission which isn't in the list of permissions which were already granted by "the global admin guy". One way to address this is to enable the admin consent request workflow. When a user is not allowed to consent and requests admin consent, whatever permissions the app was requesting at that point will be captured in the admin consent request which can then be evaluated and possibly granted by an admin.
• The app is forcing the user to be prompted for consent, using the prompt=consent request parameter. Usually, this is a mistake in how the app is configured/coded, as there are almost no situations where doing this is useful. You can read more about all the reasons why an app might be doing this (and why it's probably the wrong approach) here: https://stackoverflow.com/a/60151790/325697 ## Why is the user unable to consent?

There are a few possibilities:

• The app is requesting permissions the user is not authorized to grant. Even when user consent is fully enabled (which is not recommended), many permissions cannot be granted by a non-admin user because they're configured to require admin consent.
• The app requires assignment. Users are not allowed to grant consent for apps which have been configured (by the app's customer) to require assignment, even if the user is assigned to the app. All apps which require assignment need to be granted permissions by an admin, on behalf of all users.
• The consent prompt was considered risky and admin consent is required as a safety measure. If this is the reason consent was required, there will be a "Consent to application" audit event in the Azure AD audit logs with "Risky application detected" as the status reason.

For all of these, configuring the admin consent request workflow will help capture the precise requested permissions and allow an admin to review/grant them.