![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 72%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,676 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Calcu80r-4819, thank you for reaching out. This issue comes up because of something called illicit consents.
I just posted an answer on this following thread: https://learn.microsoft.com/en-us/answers/questions/132547/successfull-admin-consent-but-user-is-blocked-sett.html?childToView=152195#answer-152195
This issue happens because of something called Risk-based Step-up consent.
Risk-based step-up consent helps reduce user exposure to malicious apps making illicit consent requests. If Microsoft detects a risky end-user consent request, the request will require a "step-up" to admin consent instead. This capability is enabled by default, but it will only result in a behavior change when end-user consent is enabled.
When a risky consent request is detected, the consent prompt will display a message indicating that admin approval is needed.
So
it is expected that this will happen to some apps, if they meet our criteria. This is documented as one of the "unexpected consent errors" here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error#requesting-not-authorized-permissions-error
• AADSTS90093: <clientAppDisplayName> is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf.
• AADSTS90094: <clientAppDisplayName> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
That said if this is a valid, non-malicious app we do want to make sure the developer is not blocked on this going forward
In order to get them unblocked immediately, the consent request can be sent to an admin for review and potential approval
I am looking for some more insights on this and I will keep you posted with the next set of details. For now, you can try two things:
- Try to make the app verified, by adding a verified domain to your tenant
- Try enabling the option:
But before trying those options mentioned above, since I am not sure of the actual error message in your case, I would also like you to try the following option:
You can find these settings under "Home > {Tenant-Name} > Enterprise Applications > Consents and Permissions" and select the option as mentioned in the screenshot above.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.