Skip to main content

How to Fix the "Approval Required" Issue

Updated

Issue Description

When a customer registered an account in the MSPbots app, he encountered an error message saying Approval Required.

Approval Required.jpg
 

Issue Cause

This situation is because your Azure AD administrator has added some additional security policies that are blocking all AAD applications similar to MSPbots (even though it may not be convenient, it is best practice).

Applications and Required Permissions

Users who register for MSPbots accounts may encounter this issue, but to resolve it, you may need to contact someone with ATS AAD administrator permissions in your team.

How to Fix "Approval Required" Issue

  1. Sign in to Microsoft Azure.
  2. In Azure services, click Microsoft Entra ID.

    Microsoft Entra ID.jpg
     
  3. In Manage, click Enterprise applications.

    Enterprise applications(1).jpg
     
  4. Search for MSPbots.ai and click it to open. Make sure the Object ID and Application ID of the application you access match those in the screenshot.

    User consent settings_3.jpg
     
  5. There are two solutions below, you can choose either one:
    1. (Optional) Admin consent settings.
      1. In Manage, click Admin consent settings.
      2. Check the setting for the option Users can request admin consent to apps they are unable to consent to.
        • If this option is set to Yes, you need to request admin consent to add MSPbots to your AAD applications.
        • If this option is set to No, then you need to contact someone with the ATS AAD admin permissions to approve adding MSPbots to your AAD applications.

          Admin consent settings(1).jpg
           
    2. (Optional) User Consent settings.
      1. Click User consent settings.
      2. Check the setting for the option User consent for applications.
        • If set to Do not allow user consent, please contact someone with ATS AAD administrator permissions to consent to add MSPbots to your AAD application.
        • If set to Allow user consent for apps, all users can consent for any app to access the organization's data.

          User consent settings_4.jpg
           
          1. Click Select permissions to classify as low impact.

            User consent settings.jpg
             
          2. Select the following permissions and click Yes, add selected permissions.
            • User.Read
            • offline_access
            • openid
            • profile
            • email

              User consent settings_1.jpg
               

          3. After a successful setup, it means you have granted these permissions to MSPbots.

            User consent settings_2.jpg
             

            Permissions Microsoft Offical Description Usage in MSPbots
            openid Sign users in Basic permission, allow MSPbots to read the user IDs of those signing in.
            profile Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo. After tenants log in to MSPbots but before authorizing Teams integration, allows MSPbots to read basic information of all users in the current tenant: MPNID, Email, first name, last name, display name, and teams user id.
            User.Read Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

            After tenants log in to MSPbots but before authorizing Teams integration, allows MSPbots to read the basic information of the currently logged-in user, including MPNID, email, first name, last name, display name, and Teams user ID.

            The information retrieved is the minimal user data set captured during the registration and login process of MSPbots, which is used to uniquely identify the user within the organization.
            email View user's email address. Allows MSPbots to view users' email address.
            offline_access Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.

            Basic permission, allows MSPbots to call APIs persistently, enabling further automation of syncing user information.

            After the tenant authorizes Teams integration in MSPbots, there is no need for repeated authorization. MSPbots will automatically sync the latest information of all users in that tenant.
        • If set to Let Microsoft manage your consent settings (Recommended), Microsoft will automatically update your organization.

If you want to know the official response from Microsoft Azure, please refer to https://learn.microsoft.com/en-us/answers/questions/1356729/need-admin-approval-how-do-i-by-pass-this-for-azur.