![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 20%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPL%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,561 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Ping Li , thank you for reaching out.
Usually, this error I have seen people come across when the app registered calls certain permissions and then somehow those permissions get marked as illicit consents.
This issue happens because of something called Risk-based Step-up consent.
Risk-based step-up consent helps reduce user exposure to malicious apps making illicit consent requests. If Microsoft detects a risky end-user consent request, the request will require a "step-up" to admin consent instead. This capability is enabled by default, but it will only result in a behavior change when end-user consent is enabled.
When a risky consent request is detected, the consent prompt will display a message indicating that admin approval is needed.
So it is expected that this will happen to some apps if they meet our criteria. This is documented as one of the "unexpected consent errors" here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error#requesting-not-authorized-permissions-error
• AADSTS90093: <clientAppDisplayName> is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf.
• AADSTS90094: <clientAppDisplayName> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
That said if this is a valid, non-malicious app we do want to make sure the developer is not blocked on this going forward
In order to get them unblocked immediately, the consent request can be sent to an admin for review and potential approval
I am looking for some more insights on this and I will keep you posted with the next set of details. For now, you can try two things:
Try to make the app verified, by adding a verified domain to your tenant
Try enabling the option:
Option 2 is a tedious join for the admin to keep providing consent for the users, but if your user-base is a fixed one, then it would be a one-time thing for the admin. Moreover, the admin would only get a notification that someone is trying to access the app, and based on the justification, the admin can authorize that user’s access.
You can also refer to the following thread where a similar query was posted by a customer: https://learn.microsoft.com/en-us/answers/questions/132547/successfull-admin-consent-but-user-is-blocked-sett.html
In your case, I guess, somehow the AzureDevOps API might have got labeled as illicit in the first go and hence that error popped up.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.