Microsoft SSO Login Approval Requests and How to Fix Them
When accessing the Partner Portal, having received an email invite or link, users may encounter login issues when signing in via Microsoft Single Sign-On (SSO), particularly when Microsoft displays an “Approval Required” prompt. This typically occurs due to permission restrictions or consent policies configured in Azure Active Directory (Azure AD).
This article outlines the reasons behind this approval request and provides steps to resolve it effectively.
Why is Approval Requested?
During user login, the Partner Portal requests access to some Microsoft 365 data and resources such as the user profile and email, which require admin consent within Azure Active Directory (Azure AD). As a result, Microsoft may prompt for admin approval, especially in Azure AD environments with strict consent policies.
Circumstances for approval request:
Admin Consent Is Required for the Application
the Partner Portal may request access to user profile data or Microsoft Graph APIs. If these permissions require admin consent and have not been granted, users will be blocked from logging in.Consent Has Not Been Granted for All Users
Even if an admin has approved the app, the consent may be scoped only to the admin or a specific group. Other users will still see the approval prompt unless tenant-wide consent is configured.Admin Consent Workflow Is Enabled
Some organizations enforce an Admin Consent Workflow, which requires users to request access and wait for an administrator to manually approve the app.Application Permissions Have Changed
If the Partner Portal updates its required permissions, previously granted consent may no longer be valid. This can trigger a new approval request.
Resolution Step
Contact your Azure AD administrator to remove the approval process or to approve the Partner Portal application for organizational use and ensure tenant-wide consent is granted for all users. For more details, refer to Microsoft’s documentation on Admin Consent Workflow.
Related Articles
Microsoft App Registrations: Publisher Verification
As part of creating a brand, app registrations for the Partner portal and Call Manager service are created in the Partner's Microsoft tenant. This allows you to control the branding for these (such as name and logo). It also allows you to verify the ...Adding and Managing GCC High and Commercial Tenants
Call Manager supports both Microsoft Commercial Cloud and Microsoft GCC High (GCCH). Once configured, Provisioner will be able to create and manage both Commercial and GCCH customer tenants from a single portal. Add Branded GCC High Cloud Support ...Access a Customer's Call Manager as a Partner
Partners can access the Call Manager instances for all their customers, both at their Partner level and for all child Partners. Login to admin.yourbrand.com Partner Management portal. Navigate to the appropriate Partner level Select Customers on the ...Audit Logs in Provisioner
Overview Each change made in the Provisioner platform is tracked in an Audit Log. This is available from the Provisioner interface using the menu on the left hand side to select 'Audit Log'. The log is shown for the current Partner. To view changes ...Troubleshooting Direct Routing Calls
Call Manager can view all PSTN call logs from Microsoft Teams, whether the calls arrived via a Microsoft Calling Plan, Operator Connect or Direct Routing. View Direct Routing Information For Direct Routing, some additional SIP-level information is ...