Single user getting promted for admin approval during AAD OAuth authentication

0
votes

There's a staff SPA application authenticating to AAD. I created and configured the app registration in the Azure portal, but I'm not an AAD expert - it's really just a dummy app registration for dev/testing. I can authenticate, but I'm the owner of the app registration. Several other staff members in the AD tenant can also authenticate, so it does work. There's one user in particular that can't authenticate for some reason - she's definitely in the AD tenant. She's getting the following prompt:

enter image description here

There are some roles that I've configured in the app registration manifest and role assignments (and she's been assigned), but I don't think this is related - this is more for RBAC and authZ, whereas this seems to be an authentication issue...

What do I need to do to get her past the "need admin approval" screen?

1
azure-active-directory
Could you show your request url used to login? Which resource are you using in scope? And is the user a Guest in your tenant?Joy Wang-MSFT

1 Answers

0
votes

Looks like you have activated the Admin Consent Workflow. With this workflow, an admin needs to grant access the application that need it. They should be able to do this for all users in their tenant.

The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.

The alternative is the User Consent Workflow

Before an application can access your organization's data, a user must grant the application permissions to do so. Different permissions allow different levels of access. By default, all users are allowed to consent to applications for permissions that don't require administrator consent. For example, by default, a user can consent to allow an app to access their mailbox but can't consent to allow an app unfettered access to read and write to all files in your organization.

By allowing users to grant apps access to data, users can easily acquire useful applications and be productive. However, in some situations this configuration can represent a risk if it's not monitored and controlled carefully.

Also interesting: Managing consent to applications and evaluating consent requests

Microsoft recommends disabling end-user consent to applications. This will centralize the decision-making process with your organization's security and identity administrator team.