When an end-user is accessing their organization data by using my Azure OAuth APP, they are being asked for admin approval, the consent shows the message as "Approval Required", Can anyone will help me out on how to solve this issue so that end-user will not be asked for the admin approval? Authorization URL we used to authenticate the end-user:- https://login.microsoftonline.com/common/oauth2/authorize ?response_type=code&state={{state}}&redirect_uri={{redirect_uri}}&client_id={{client_id}}&resource={{resource}}

Hi @Celigo Labs • Thank you for reaching out. In order to avoid the Approval Required page for end users, you need to construct adminconsent url as mentioned below: https://login.microsoftonline.com/common/adminconsent?client_id=your_client_id Access this URL using global administrator account of your tenant and accept the consent prompt. Once this is done, when any user in your tenant, accesses the application using below call, they will not get the Approval Required page. https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&state={ {state}}&redirect_uri={ {redirect_uri}}&client_id={ {client_id}}&resource={ {resource}} ----------------------------------------------------------------------------------------------------------- Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

How can this be permanently disabled?

Disable approval required consent in Azure

Accepted answer

AmanpreetSingh-MSFT 56,306 Reputation points

2021-10-12T08:12:27.773+00:00

Hi @Celigo Labs • Thank you for reaching out.

In order to avoid the Approval Required page for end users, you need to construct adminconsent url as mentioned below:

https://login.microsoftonline.com/common/adminconsent?client_id=your_client_id

Access this URL using global administrator account of your tenant and accept the consent prompt.

Once this is done, when any user in your tenant, accesses the application using below call, they will not get the Approval Required page.

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&state={ {state}}&redirect_uri={ {redirect_uri}}&client_id={ {client_id}}&resource={ {resource}}

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Celigo Labs 41 Reputation points

2021-10-12T15:31:54.937+00:00

Hi @AmanpreetSingh-MSFT , Can we avoid the Approval required page without accessing the below URL?
https://login.microsoftonline.com/common/adminconsent?client_id=your_client_id

Do we have any other way where a end user can access to our application by using the authorization API call ["https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&state={{state}}&redirect_uri={{redirect_uri}}&client_id={{client_id}}&resource={{resource}}"] without accessing admin consent URL [https://login.microsoftonline.com/common/adminconsent?client_id=your_client_id]?

Please advise!

AmanpreetSingh-MSFT 56,306 Reputation points

2021-10-12T15:39:29.76+00:00

Hi @Celigo Labs • No, you cannot disable Disable Admin consent as there are certain permissions for which Admin Consent is required. Otherwise any malicious application(s) may have excessive permissions to resources within the tenant and cause a lot of security issues. Which is why it is not possible to disable this setting.

the authorization API call ["https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&state={ {state}}&redirect_uri={ {redirect_uri}}&client_id={ {client_id}}&resource={ {resource}}"] is used to acquire a code which is redeemed to acquire a token in the subsequent call. The Access token may then be used to get access to the resource it is acquired for. So, without authorization API call you may directly call token endpoint [https://login.microsoftonline.com/common/oauth2/token] and use ROPC flow but again, the Admin consent needs to be provided prior to making the call.

Celigo Labs 41 Reputation points

2021-10-12T17:09:32.267+00:00

Hi @AmanpreetSingh-MSFT , Just want to confirm whether my understanding of the above answer is correct/wrong, please correct me if I am wrong with my understanding, from the above answer I understood that the end-user/tenant can't access our application without their admin approval if their account has admin privilege, In order to avoid the admin approval request page, the admin of the user's account needs to perform the login request with the admin consent URL (i.e:- https://login.microsoftonline.com/common/adminconsent?client_id=your_client_id) later end-user/tenants can access our application using the Authorization URL without the approval required page interruption. As the admin approval request consent is in the hands of the end-users/tenants admin account, we can't do anything from the application end in order to avoid the admin approval request consent page.

@AmanpreetSingh-MSFT Also I would like to confirm whether the admin consent URL can be performed for a single time by the admin so that multiple users under the admin's account can perform the Authorization URL to our application without any approval request interruption.

Thank you!

AmanpreetSingh-MSFT 56,306 Reputation points

2021-10-13T04:37:43.773+00:00

Hi @Celigo Labs • Yes, your understanding is correct. Global Admin of the tenant has to provide consent only once by using adminconsent endpoint and subsequent user sign-ins within that tenant won't get approval request interruption.

Celigo Labs 41 Reputation points

2021-10-14T05:53:22.21+00:00

Hi @AmanpreetSingh-MSFT , Can you please provide us with the steps on enabling/disabling the admin approval request consent from the Global admin account of the tenant to our app?
Thank you!

AmanpreetSingh-MSFT 56,306 Reputation points

2021-10-14T06:25:23.68+00:00

@Celigo Labs • As I have mentioned, you can NOT disable consent prompt. You have to provide one time consent by using global admin account and other users in that tenant won't get the consent prompt as the admin already provided consent on behalf of entire tenant.

Azure AD > Directory roles > Global Admin > Make sure the admin user account is assigned with this role.

One of the users with Global Admin role assigned accesses https://login.microsoftonline.com/common/adminconsent?client_id=your_client_id

Accept the consent prompt.

Users in the tenant access "https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&state={ {state}}&redirect_uri={ {redirect_uri}}&client_id={ {client_id}}&resource={ {resource}}" and won't get the consent prompt.

At this point, users are getting an option to provide justification and admin can approve after reviewing the request. If you set the option highlighted in Green to NO, users will directly be denied and will not get the option provide justification to request for permission.

Celigo Labs 41 Reputation points

2021-10-14T11:24:08.07+00:00

Hi @AmanpreetSingh-MSFT , thanks for the quick response to our queries, will look into it.

Thank you!

Celigo Labs 41 Reputation points

2021-10-19T12:16:13.627+00:00

HI @AmanpreetSingh-MSFT , Once we grant the admin consent for a user can we know the steps on how to remove the granted admin consent for that user, I mean if the user wants to get the token for the next time he needs to get the admin approval request page again after performing the Authorization URL?

AmanpreetSingh-MSFT 56,306 Reputation points

2021-10-19T13:57:30.377+00:00

@Celigo Labs • For this purpose, you need to navigate to:
Azure AD > Enterprise Applications > Your_Application > Permissions > Review Permissions > select This application has more permissions than I want
You will be provided with a script to remove the permissions.

Note: Admin consent grants permission on the tenant level and not on per user basis. Hence, removing the permissions will affect all users in the tenant.

Celigo Labs 41 Reputation points

2021-10-22T05:55:48.693+00:00

Hi @AmanpreetSingh-MSFT , Can you please provide us with the steps on how can an admin accept the tenant's admin approval request?
Thank you!

Celigo Labs 41 Reputation points

2022-01-19T16:39:31.967+00:00

Hi @AmanpreetSingh-MSFT , Can you please provide us with the steps on how can an admin accept the tenant's admin approval request?
Thank you!

AmanpreetSingh-MSFT 56,306 Reputation points

2022-01-19T16:48:31.157+00:00

@Celigo Labs • Please find the steps below:
Sign in to comment

Disable approval required consent in Azure

1 additional answer