Admin approval is requested when trying to authorize a user but admin has already approved

Rodrigo Brechard 1 Reputation point

I am trying to get access on behalf of a user for the Educational API. To do so I am following the guide on: . Since I am using Educational APIs admin approval is needed for any user. Therefore to create the link for the admin I follow the guide here:

I then granted access with the Global admin user and It returned to the redirect URL with admin_consent=True. I verified the audit logs and the grant was successful. I then followed the authorization request with a user from the same tenant.

and it showed the screen with error:
Need admin approval
needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

I have also verified that permission are granted
239261-screenshot-from-2022-09-08-22-08-21.png .

Also, Admin Consent Workflow is not enabled in the tenant. And the user consents are the following:
Allow user consent for apps
All users can consent for any app to access the organization's data.

Allow group owner consent for all group owners
All group owners can allow applications to access data for the groups they own.

I contacted support about it, and after all checks possible I was told to open this Q&A.

I hope I can get some help,

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,605 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 19,866 Reputation points Microsoft Employee

    Hi @Rodrigo Brechard ,

    Thanks for reaching out.

    I understand you are trying to authenticate the application with Educational API and getting "Need admin approval" even though permissions are granted by Admin.

    I tried to repro the scenario with the permissions and settings mentioned by you using authorization code flow and able to get the access token successfully with required permissions.


    Below are the settings in my organization


    Only difference I can see with yours is your application registered in Default directory. Are you access the Azure portal using your personal account? I replicate that scenario as well in my lab with personal account and able to authenticate the user with required permissions.

    Could you please verify again the settings of your tenant as mentioned above.
    Are you facing the similar issue for other applications as well?
    Also, could you check the URL you access doesn't have prompt=admin_consent which require admin approval?