Azure APP registration - Even after granting admin consent,end user still gets login window asking for Permission

1
votes

We have created APP registration in Azure tenant. After adding all necessary Graph API permissions to APP and clicking "Grant admin consent" button, end-user still receives a window with "Permissions requested".

However, if I log in to my APP from Windows using my Tenant admin, on the same login window there is a checkbox saying "Consent on behalf of your organization". Checking this box as an admin suppresses any subsequent windows from showing for any user.

Why is that? Why clicking Grant admin consent in API Permissions tab does not behave the same way as logging first as a tenant admin and checking the box "Consent on behalf of your organization"?

Please let me better understand this.

API Permissions

Permissions requested window

1
azure-active-directoryazure-ad-graph-api
I found the fix. My APP was missing Mail.Send.Shared permission. After adding it to the list and clicking grant admin consent I don't see any more pop up windows.tbmw
Why do you want to grant "Mail.Send.Shared" permissions? Are you sending mail on behalf of another user? I don't think the lack of Mail.Send.Shared permissions is the cause of the problem.Carl Zhao
If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). See meta.stackexchange.com/questions/5234/… This can be beneficial to other community members. Thank you.Carl Zhao

1 Answers

0
votes

The lack of Mail.Send.Shared permissions is not the cause of the problem.

When you log in to the application as a normal user for the first time, the system will prompt you whether to accept the request permission of the application. After you click "Accept", the request window will not pop up when you log in to the application next time. It's not because you added the Mail.Send.Shared permission.

We have many ways to grant administrator consent for api permissions. You can click "Grant admin consent" in the "API permissions" tab, or check the "Consent on behalf of your organization" box when logging in to the application. The realized functions are all the same.