How to grant admin consent to applications in Azure

In this post we look at how to set up the admin consent workflow in Azure, which fixes an issue with the Samsung Email app requiring admin consent, giving users a way to request access to applications and allowing global admins the ability to grant tenant-wide consent.

The scenario

I had an issue recently in my organisation where after a recent OS update, users began to report receiving a “need admin approval” message appear when attempting to access mail through the native Samsung email application.

The “Need admin approval” message that began appearing via the Samsung email app.

So the first thing I checked out was the Enterprise application in Azure Active Directory just to do a once-over of the settings there. However, there was no Samsung Email app to be found!

Fail #1 – user consent settings

So after noticing there was no Samsung email app to check the configuration of, still in Enterprise applications I went to > Consent and permissions > User consent settings.

From here I changed the user consent for applications part to Allow user consent for apps from verified publishers, and also set the five permissions classed as low impact as recommended.

Update the user consent settings to allow user consent for apps from verified publishers.

For me, this did not work.

I then spoke to Microsoft support who recommended configuring the admin consent workflow (preview), which gives end users a way to request access to applications that require admin consent.

There is full documentation from Microsoft here on how to configure the admin consent workflow, but I’ll include the steps I took to enable it below:

  • Navigate to Azure Active Directory. You need to be a global administrator to complete these steps
  • Open Enterprise applications > under Manage, select User settings
  • Under Admin consent requests (Preview), set Users can request admin consent to apps they are unable to consent to to Yes
Configure admin consent workflow settings
Set Users can request admin consent to apps they are unable to consent to to Yes under Admin consent requests (preview).
  • Now you need to set the users who are to review the admin consent requests (these need to also have the global administrator, cloud application administrator, and application administrator roles)
  • Enable or disable email notifications to the reviewers when a request is made
  • Enable or disable reminder email notifications to the reviewers when a request is about to expire
  • Specify how long requests stay valid
  • Press Save

Changes can take up to an hour to take effect – for me it took closer to 45 minutes. After this time, I tested the Samsung email app again and the message changed to requiring approval:

This then notifies the user that their request has been sent, and an email is sent to the request administrator(s). Then in Enterprise Applications, under Activity if you click on Admin consent requests (Preview) you will see Samsung Email listed, as well as being able to see who requested it on the Requested by tab.

From here, I just pressed Approve, which naturally approved the request,. Once approved, the request is cleared from the admin consent requests list.

Granting tenant-wide admin consent to an application

Microsoft documentation here talks about needing to grant admin consent for the applications to be available tenant-wide. It’s really easy to do as in my example, the Samsung Email app is now listed under Enterprise Applications, so all I needed to do was:

  • Go back to Enterprise applications
  • Select the Samsung Email application
  • Select Permissions and then click Grant admin consent
  • Agree with the permissions the application requires and grant consent
Samsung Email application appearing in Enterprise applications.
Grant tenant-wide admin consent for the Samsung Email application.

7 thoughts on “How to grant admin consent to applications in Azure

  1. Kamal January 23, 2021 / 9:03 pm

    “samsung email” does not appear in our azure portal. Do we need to perform any additional steps?

    Like

  2. Anthony January 23, 2021 / 9:46 pm

    Hi Kamal, yes you need to enable and configure the admin consent workflow in Azure AD, then try logging into Samsung Email on Android to sent a request.

    Approving this will show Samsung Email as an enterprise app.

    Thanks,
    Anthony

    Like

    • Ivan April 27, 2021 / 12:27 pm

      Hi Anthony,

      I’ve read this article and have a question. Can we consent to the permissions after having deleted consent? I don’t see a specific mention of re-consenting in the article.

      Thanks,
      Ivan

      Like

  3. Nate April 8, 2021 / 2:16 am

    Can someone confirm that the “Samsung Email” app ID is supposed to be “8acd33ea-7197-4a96-bc33-d7cc7101262f”? Just trying to make sure that this is a legitimate application. This is the only way I know of to check the authenticity is to cross reference with a trusted addition. You can find the AppID at the same spot as the last screenshot of this article, except go to the “Properties” section.

    Like

    • Anthony April 8, 2021 / 12:02 pm

      Hi Nate,
      I can confirm that the Samsung Email app ID in my tenant is the same as what you’ve listed.
      Thanks
      Anthony

      Like

  4. Ivan April 27, 2021 / 12:46 pm

    Hi Anthony,

    I’ve read this article and have a question. Can we consent to the permissions after having deleted consent? I don’t see a specific mention of re-consenting in the article.

    Like

    • Anthony April 27, 2021 / 5:41 pm

      Hi Ivan, thanks for the comment. I’m not 100% on user consent but similarly I’ve had several occasions where admin consent isn’t granted for an app and this allows the user to request access again – so I would imagine the process is the same.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s