Admin Approval Required Error

When users attempt to log in to the Sprocket Management Portal, they may encounter a consent screen stating that administrator approval is required. This article explains why this happens and how to resolve it.

The Problem

Users see a consent screen similar to this after logging in to the Sprocket Management Portal:

The screen displays:

• "Need admin approval" as the main heading
• "Sprocket Management Portal needs permission to access resources in your organisation that only an admin can grant."
• "Please ask an admin to grant permission to this app before you can use it."

The user cannot proceed without administrator approval and sees two options:

• "Have an admin account? Sign in with that account"
• "Return to the application without granting consent"

Why Does This Happen?

This occurs due to Azure AD tenant settings that control whether end users can grant consent to applications. The Sprocket Management Portal requires the User.Read permission to function, which allows the application to read basic user profile information.

Azure Consent Settings

The issue is controlled by a specific setting in your Azure AD configuration:

Path: Azure Active Directory → Enterprise Applications → Consent and Permissions → User Consent Settings

There are three options available:

1. Do not allow user consent (Restrictive setting)

   • An administrator will be required for all apps
   • This is what causes the "Need admin approval" error

2. Allow user consent for apps from verified publishers, for selected permissions (Recommended)

   • All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization
   • Users can consent to apps from verified publishers like Sprocket
   • Most permissive while still maintaining security

3. Let Microsoft manage your consent settings (Recommended by Microsoft)

   • Automatically updates your organization to Microsoft's current user consent guidelines
   • Highlighted in green in the Azure Portal as the recommended option

Why Some Clients Experience This and Others Don't

Different organizations have different security policies:

• Default Microsoft Setting: Most tenants allow consent for verified publishers, which includes Sprocket (as we're a Microsoft Partner application)
• Restrictive Organizations: Some organizations, particularly in regulated industries or certain countries, configure their tenant to "Do not allow user consent"
• Security Policies: IT departments may have implemented stricter consent policies to control which applications can access their tenant

How to Resolve This Issue

There are two approaches to resolving this issue:

Option 1: Have an Administrator Grant Consent (Immediate Fix)

The quickest solution is to have a Global Administrator (or potentially another admin role) log in to the Sprocket Management Portal on behalf of the user:

1. Have a Global Administrator navigate to the Sprocket Management Portal
2. The administrator logs in with their credentials
3. The administrator will see the consent screen and can approve it for the entire organization
4. Once approved, regular users should be able to access the portal without the consent screen

tip

The exact admin role required may vary. While Global Administrator definitely works, other admin roles with permissions to grant tenant-wide consent may also be sufficient. We recommend testing with a Global Administrator first.

Option 2: Change Azure AD Consent Settings (Permanent Fix)

If your organization's security policies allow it, you can modify the Azure AD settings to permit user consent for verified publishers:

1. Sign in to the Azure Portal as a Global Administrator
2. Navigate to Azure Active Directory
3. Select Enterprise applications from the left menu
4. Click on Consent and permissions under the Manage section
5. Click on User consent settings
6. Change the setting from "Do not allow user consent" to either:
   • "Allow user consent for apps from verified publishers, for selected permissions", OR
   • "Let Microsoft manage your consent settings (Recommended)" (shown with green highlight in the screenshot above)
7. Click Save at the top of the page

caution

Changing consent settings affects your entire organization's security posture. Consult with your IT security team before making this change. Microsoft's recommended settings provide a good balance between security and usability while allowing access to verified publisher applications like Sprocket.

Understanding the Permissions

Sprocket Management Portal only requests the User.Read permission, which:

• Allows the app to read the signed-in user's basic profile (name, email, profile picture)
• Does not grant access to other users' data
• Does not allow writing or modifying any data
• Is one of the most basic and common permissions in Microsoft 365

This is a minimal permission scope that's considered safe and is commonly granted to business applications.

Alternative Scenarios

"Request Approval" Button

In some cases, users may see a "Request approval" button instead of being completely blocked. This allows users to submit a request to their administrator for approval. The administrator will receive a notification and can approve or deny the request from the Azure Portal.

Returning to the Error Screen

If users click the browser's back button or attempt to return to a previous screen during the consent process, they may encounter errors. If this happens, instruct them to:

1. Close the browser completely
2. Clear browser cache (optional, but recommended)
3. Navigate to the Sprocket Management Portal again
4. Complete the login process without using the back button

Verifying the Application Registration

Administrators can verify that Sprocket has been properly registered in their tenant:

1. Sign in to the Azure Portal
2. Navigate to Azure Active Directory → Enterprise applications
3. Search for "Sprocket" in the application list
4. If the application appears with a status of "Enabled," consent has been granted

Still Having Issues?

If you've tried the solutions above and users are still unable to access the Sprocket Management Portal, please contact our support team at [email protected].

When contacting support, please include:

1. Screenshots of the consent screen users are seeing
2. Confirmation of whether you've checked the Azure AD consent settings
3. The admin role of the person who attempted to grant consent (if applicable)
4. Any error messages that appear when clicking buttons on the consent screen

Related Resources

• Microsoft Documentation: Configure user consent settings
• Microsoft Documentation: Understanding permissions and consent