Application requires admin consent, it keeps getting approved but nothing

Question

Hello,

One of our enterprise clients on Microsoft is trying to do the OAuth flow for our application ID but is facing an approval wall.

The user is prompted with the window 'Approval required'. They fill in the 'Enter justification for requesting this app' and click 'Request approval'. It goes to their Microsoft 365 admin who approves it (they have done it a dozen times already), but the user can still not log in.

On the other hand, when an admin tries to log in, they have the option 'Consent on behalf of your organization' and can then connect successfully. But the normal user still nothing, they keep having the Microsoft 'Approval Required' form.

Our application is requesting the following scopes: [ 'offline_access', 'openid', 'profile', 'EWS.AccessAsUser.All', 'Mail.ReadWrite', 'Mail.Send', ]

We are making the OAuth process via the URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=consent

We use ?prompt=consent as described here: https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant#admin-consent

In "App Registrations > Manage > Authentication" on Azure Portal we have selected "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)".

Could you be guide us into what is the issue leading our user not being able to log in? It is not the only one who has this issue (already the fourth one). It is very frustrating.

Answer 1

Since admins can log in successfully, it suggests that consent is still required at an organizational level. Try granting consent for all users explicitly:

1. Have the Microsoft 365 admin visit this URL (replace {tenant_id} with the client's tenant ID and {client_id} with your application ID):com/{tenant_id}/adminconsent?client_id={client_id}

      https://login.microsoftonline.com/{tenant_id}/adminconsent?client_id={client_id} 
   

2. The admin should grant consent for the entire organization instead of per-user approval.
3. Once this is done, users should be able to authenticate without hitting the approval screen again.

Also, you need to check this;

Even after approval, users may not have proper access due to an issue in Enterprise Applications.

• In Microsoft Entra ID > Enterprise Applications, find your application.
• Under Permissions, check if the requested permissions are granted organization-wide.
  • If permissions still show "Needs admin approval", try re-granting them at the Admin consent section.

Your OAuth URL currently uses prompt=consent. This forces the user to see the consent prompt every time, which may be problematic if the user's consent is not stored properly. Try removing it and using the default behavior.

Instead of:

bash
CopyEdit
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=consent

Use:

bash
CopyEdit
https://login.microsoftonline.com/common/oauth2/v2.0/authorize

This ensures that the process does not unnecessarily force a consent prompt.

Answer 2

Hi Jose,

Thank you for your quick reply. Much appreciated.

(1) Regarding the tenant ID in the URL, how can this be done, considering that we are a third-party application? We do not know what is the tenant ID of the organization connecting. They click on "Connect" and immediately get redirected to Microsoft for the OAuth flow.

(2) If we do not include the ?prompt=consent there will be an error message. Please review this article: https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant#admin-consent so does that mean we need 2 buttons: one for admins that passes ?prompt=consent then another one for the actual users?