Reputation: 547
Azure AD app Need admin approval error: App needs permission to access resources in your organization that only an admin can grant
We have an Azure AD app used for authenticating to APIs. We use permissions like offline_access, openid, profile, User.Read etc. and have granted admin consent already. This has been working since 1 year without any issues. In this week, we received 4-5 external users complaining about the error:
Need admin approval
App needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
It is not related to a particular external user from a particular organization, some other user from the same organization don't get this error.
This error occurs only for new external users, we haven't yet received any issues from existing external users.
Admin granted admin consent again after reported error but the users still get the same error message.
I went through few other questions with same error. But since the configuration has been working since past year I am bit confused. During this period we have had lot of external users without any issue.
What configuration should I check to resolve this? Or is there any update in Azure AD default settings?
Upvotes: 7
Views: 54659
Answers (2)
Reputation: 1
Please note that, Consent phishing attacks are highly emerging these days. So, as an admin, we should think about granting permissions to users consent to other applications into our Office 365. You can refer the blog manage user consent to apps to know the ways to approve the applications that users requested.
Also, please don't get upset about the existing applications that were approved by user without your concern. You can now review the permissions granted to apps in office 365 and take remediations immediately if you find an unnecessary application.
Upvotes: 0
Reputation: 11401
Check if the Allow users to consent to apps accessing company data on their behalf is set to No in Enterprise Application Users settings.
If it set to No then please toggle it to yes . This option lets users decide by themselves if they want to grant access to a given app to everyone in their organization.
From Microsoft’s official documentation: If this option is set to yes, then users may consent to allow applications which are not published by Microsoft to access your organization’s data, if the user also has access to the data. This also means that the users will see these apps on their Access Panels. If this option is set to no, then admins must consent to these applications before users may use them.
Check if the Allow users to request admin consent to apps they are unable to consent to is set to No.
If it is set to No then toggle it to yes as well. If your organization decides that users indeed must have explicit approval, this option makes it easy for those users to request approval.
To enable this option, click on User settings (same as in the previous stem) and then toggle Admin consent requests to “Yes”. Make sure to Save your changes, which may take a few minutes to propagate.
From Microsoft Documentation: If this option is set to yes, then users request admin consent to any app that requires access to data they do not have the permission to grant. If this option is
set to no, then users must contact their admin to request to consent
in order to use the apps they need.
Note : If this Setting is done from your APP tenant , Please also check the external users tenant as this needs to be done from their side as well as while trying to use the app, your app will retrieve user profile etc. from the users tenant .
Add Priority Matrix as an Enterprise Application (org-wide)
if your AAD administrator decides that everyone in your organization should get access to Priority Matrix, they can follow these steps:
From the “Enterprise Applications” view, click on All Applications
Select + New Application to set up Priority Matrix with Azure AD authentication
Search “Priority Matrix” and proceed to configure the app with AD authentication
Note: If you still face the issue please reach out to Azure support engineer to get assisted support by clicking on (Help+support) and creating a technical support request as it may need live troubleshooting.
Upvotes: 8
Related Questions
- Azure registered app error: The user or administrator has not consented to use the application with ID
- I created new Azure App but it keep showing error message Need admin approval
- Azure app incorrectly requesting admin consent?
- Why my app is asking for permissions not configured in Azure AD App
- Cannot give permissions to sign-in to my app, error "App needs permission to access resources in your organisation that only an admin can grant"
- Unable to grant admin consent for app in Azure AD despite being Application Adminstrator
- Azure AAD App can access Admin App without granting permission using a token
- Azure AD: Failed to grant permission for application
- App needs permission to access resources in your organisation that only an admin can grant
- Azure AD App Registration: "AADSTS90094: The grant requires admin permission" error for permission that has "REQUIRES ADMIN" set to "No"