Azure Web App - Authorization - "Need admin approval"

Arash Niknafs 41 Reputation points
2021-02-16T21:17:48.64+00:00

Hi,

I have setup a Web App in Azure (it sits insides a repository which is pushed into a container registry by an ADO pipeline).

I have registered the app in Azure Active Directory and I have been trying to restrict the access to App to a small number of internal employees.

However, the end users keep getting "Need admin approval" message as shown below:

68764-image.png

The users are added to the registered app inside the AAD and have the "Default Access" for their "Role assigned".

My online search has led me to changing the restrictions in the following screenshot:

68717-image.png

However, I don't have access to do that. Those are greyed out.

I also tried granting the users access through the following but again I don't have the access to do so:

68772-image.png

Please advise. Thanks! 2: /api/attachments/68717-image.png?platform=QnA

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,437 questions
Accepted answer
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2021-02-18T23:25:53.27+00:00

    Hi @Arash Niknafs ,

    Granting tenant-wide admin consent requires you to sign in as a Global Administrator, an Application Administrator, or a Cloud Application Administrator. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent

    (And to grant admin consent on Microsoft Graph, you need global administrator privileges.)

    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#prerequisites

    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent#:~:text=Sign%20in%20to%20the%20Azure,then%20click%20Grant%20admin%20consent.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Arash Niknafs 41 Reputation points
    2021-03-02T23:36:33.237+00:00

    @MarileeTurscak @Mathew James(UST,IN) Thank you both for your replies!

    I have tried several paths and talked with different teams. It seems that we would need to get an admin consent as Marilee mentioned in her answer.

    However, the link there is pointing to instructions on how an admin would have done this. Developers like me won't be able to do that. The instructions on how to request admin consent are not clear and seem to be out-of-date.

    I have been advised to create a ticket here with Azure and ask them for that admin consent.

    Would that be in here? The Azure Support portal was a bit confusing. The only support I see there is community support.

    Thanks again!

    0 comments
  2. Braun, Nico (WDE N-NTD) 11 Reputation points
    2024-04-05T18:29:39.5633333+00:00

    On this page https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps#administrator-consent

    they say:

    Permission requests that contain custom application scopes aren't considered high-privilege and thus, they don't require admin consent.

    Therefore, if you create a custom permission for your app and request that alongside the other scopes, you don't need admin consent.

    # given some application

resource "azuread_application" "example" {
  display_name    = "example"
  identifier_uris = ["api://example"]
}

# we create a custom scope for it

resource "random_uuid" "custom_scope" {}

resource "azuread_application_permission_scope" "custom" {
  application_id = azuread_application.example.id
  scope_id       = random_uuid.custom_scope.id
  value          = "Custom"

  admin_consent_display_name = "Bypass admin consent"
  admin_consent_description = join("", [
    "By requesting this scope, admin consent is bypassed, according to: ",
    "https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps#administrator-consent",
  ])
}

# and we grant the application access to it

resource "azuread_application_api_access" "custom_scope" {
  application_id = azuread_application.example.id
  api_client_id  = azuread_application.example.client_id
  scope_ids      = [random_uuid.custom_scope.id]
}

# we can asign any other scope to the application, for example for oidc

data "azuread_application_published_app_ids" "well_known" {}

data "azuread_service_principal" "msgraph" {
  client_id = data.azuread_application_published_app_ids.well_known.result["MicrosoftGraph"]
}

resource "azuread_application_api_access" "msgraph" {
  application_id = azuread_application.example.id
  api_client_id  = data.azuread_service_principal.msgraph.client_id
  scope_ids = [
    data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"],
    data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["email"],
    data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["profile"],
  ]
}

    When configuring the client application, we can request the scopes, alongside the custom one in order to bypass the admin consent:

    clientId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
clientSecret: xyz
scopes:
  - api://example/Custom # <-
  - openid
  - email
  - profile

    That said, I am wondering why it is like that. This seems like a foot gun. Like people accidentally disabling admin consent. Or the custom scope is really just for that, but then it is a strange way of implementing the consent bypass feature.

    In my case, I don't even understand why this is required. Because the scope in the list are marked as "no admin consent required", in the UI.
    User's image

    But in fact, I ran into the issue. That's why I'm here.

    0 comments