Table of Contents
In this post we look at how to set up the admin consent workflow in Entra ID, which fixes an issue with the BlueMail app requiring admin consent, giving users a way to request access to applications and allowing global admins the ability to grant tenant-wide consent.
Recently, in my organization users reports receiving a approval message appears when attempting to access mail through the BlueMail application. Users wondering about the Accept option and they ask us to be confirm it wouldn’t be an issue if they Accept it.
So, the first thing we checked out was the Enterprise application in Azure Active Directory just to do a once-over of the settings there. However, there was no BlueMail app to be found!
We then spoke to Microsoft support who recommended configuring the admin consent workflow (preview), which gives end users a way to request access to applications that require admin consent.
Configure the admin consent workflow
There is full documentation from Microsoft here on how to configure the admin consent workflow, but I’ll include the steps I took to enable it below:
1️⃣ Navigate to Microsoft Entra admin center. You need to be a global administrator to complete these steps.
2️⃣ Navigate to Enterprise applications > under Security section, select Consent and permissions.
3️⃣ Under Admin consent requests (Preview), set Users can request admin consent to apps they are unable to consent to to Yes.
4️⃣ Now you need to set the users, groups or roles who are to review the admin consent requests (these need to also have the global administrator, cloud application administrator, and application administrator roles)
5️⃣ Keep all other settings as default such as Enable email notifications to the reviewers when a request is made. Enable reminder email notifications to the reviewers when a request is about to expire.
And specify how long requests stay valid. then click Save.
6️⃣ After that time, when users access the app again and the message changed to requiring approval.
7️⃣ This then notifies the user that their request has been sent, and an email is sent to the request admins. Then in Enterprise Applications, under Activity if you click on Admin consent requests (Preview) you will see the app listed, as well as being able to see who requested it on the Requested by tab.
8️⃣ From here, we just pressed Approve, which naturally approved the request. Once approved, the request is cleared from the admin consent requests list.
Additionally, an email is sent to the request admis for approval. Admins can click on the Review request link to navigate to Admin consent requests section in Entra ID.
The app now approved, users should be able to use the app to connect to their email accounts.
Granting tenant-wide admin consent to an application
Microsoft documentation here talks about needing to grant admin consent for the applications to be available tenant-wide. It’s really easy to do as in my example, the BlueMail app is now listed under Enterprise Applications, so all we needed to do was:
1️⃣ Go to Enterprise applications > Select the application from the list > Select Permissions and then click Grant admin consent.
2️⃣ Agree with the permissions the application requires and grant consent.
Not a reader? Watch this related video tutorial:
