Admin approval is requested when trying to authorize a user but admin has already approved

Rodrigo Brechard 1 Reputation point
2022-09-08T20:11:43.533+00:00

I am trying to get access on behalf of a user for the Educational API. To do so I am following the guide on: https://learn.microsoft.com/en-us/graph/auth-v2-user . Since I am using Educational APIs admin approval is needed for any user. Therefore to create the link for the admin I follow the guide here: https://learn.microsoft.com/en-us/graph/api/resources/education-overview?view=graph-rest-1.0

I then granted access with the Global admin user and It returned to the redirect URL with admin_consent=True. I verified the audit logs and the grant was successful. I then followed the authorization request with a user from the same tenant.

and it showed the screen with error:
Need admin approval
unverified
needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

I have also verified that permission are granted
239261-screenshot-from-2022-09-08-22-08-21.png .

Also, Admin Consent Workflow is not enabled in the tenant. And the user consents are the following:
Allow user consent for apps
All users can consent for any app to access the organization's data.

Allow group owner consent for all group owners
All group owners can allow applications to access data for the groups they own.

I contacted support about it, and after all checks possible I was told to open this Q&A.

I hope I can get some help,
Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,661 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 29,746 Reputation points Microsoft Employee
    2022-09-09T10:10:52.12+00:00

    Hi @Rodrigo Brechard ,

    Thanks for reaching out.

    I understand you are trying to authenticate the application with Educational API and getting "Need admin approval" even though permissions are granted by Admin.

    I tried to repro the scenario with the permissions and settings mentioned by you using authorization code flow and able to get the access token successfully with required permissions.

    239432-image.png

    Below are the settings in my organization

    240071-image.png

    240043-image.png
    Only difference I can see with yours is your application registered in Default directory. Are you access the Azure portal using your personal account? I replicate that scenario as well in my lab with personal account and able to authenticate the user with required permissions.

    Could you please verify again the settings of your tenant as mentioned above.
    Are you facing the similar issue for other applications as well?
    Also, could you check the URL you access doesn't have prompt=admin_consent which require admin approval?

    Thanks,
    Shweta


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.