Granting an admin consent in Entra ID from the comfort of your own machine

This is probably an obvious thing to most Entra ID admins, but I wanted to blog this here just in case others weren’t aware… and also as a reminder to myself.

As an Entra admin one of the common requests I get is to do an admin consent to an app. A user visits some website that supports SSO with Entra ID and is unable to proceed because an admin consent is needed.

We don’t then just go ahead and approve it, but require approvals from non-IT folks like Security etc. though eventually me or one of my colleagues has to do the admin consent if we are good to go.

Sometimes we are lucky and the developer of the app provides an admin consent URL with the required permissions etc. But a lot of times they are clueless and what we have to do then is jump on a call with the users or admins of the app. Which… while I don’t mind a call… is a waste of time. Why do I have to jump on a 15-30 mins call just to do this?? And worse, we have Conditional Access policies that restrict where my admin account can login from, so I have to jump through additional hoops beforehand to get exceptions for my admin account so it can login on the user machine to do a consent. Oh, and I forgot, all my accounts have a gibberish of a password which I now have to somehow get across to the user machine where I am screensharing (good luck typing pAZ3j0&pcxPzfc5y4Om0%GT2F#ch4AwgL@80vTD3DFqbg3FKORs2BzWrIKe@^j#UZ0wt% manually!). And I am paranoid and don’t trust other people’s computers (I shouldn’t trust my own either, but I got to start somewhere I guess 😬) and so am always vary that maybe something on the user machine is logging my password and I must change it immediately (this is not really an issue because the account is protected by MFA and also Conditional Access policies, but like I said I am paranoid!).

Anyways, long story short (too late!) what I’d really like is a way to do an admin consent from my admin machine even when I don’t have the consent URL. What can one do here?

Easy, actually! 😁

Ask the user to sign in as usual until they reach the admin consent page. (Skip this step of course if you already have the details of someone who signed in and got to the consent page).

Then go to Entra ID sign in logs of that user and find this sign in attempt. It should have a status of Failure and show the name of the app/ website.

Open that entry and note the Application ID.

Now construct a URL like this: https://login.microsoftonline.com/common/adminconsent?client_id=<applicationID> (this is a well known URL from Microsoft)

Visit that from the comfort of your own computer while sipping hot chocolate and after enabling a role that can do admin consents (Application Admin, sometimes Global Admin). Go through the consent screen as you would usually:

Review the permissions, and click “Accept”! (Don’t worry too much about the permissions as we’ll revisit this in the next step).

Now visit Entra ID > Enterprise Applications > and search for the app (the name that appears in the dialog above when you consented).

Go to the Permissions section, double check that you are happy with the permissions and they are Delegated, and then do a consent for the org itself.

And that’s it! Now anyone in the firm can access that app. As a best practice I also toggle this to “Assignment required” and select a bunch of groups or users who actually need access to the app.