Azure AD Login flow to SPA application require admin approval for first login only

Question

I have a SPA app registration in Azure AD and a react-based login flow using msal-react. Is it possible to make it so regular users are required to request access to the application only for the first login attempt to the app? After an admin approves it, it should no longer be needed to request it again. The things I've tried are:

• append prompt: "consent" to the login request - This works, but when the admin receives an email and approves the request, the user is asked to request it again, thus resulting in an infinite request->approve loop.
• I've enabled and configured Admin Content Requests under Enterprise Applications -> Manage -> User Settings
• I have exposed an api from my WebAPI app that has value for Who can consent? - Admins Only ( not sure if this is correct). This permission is added to my SPA application and I have not granted admin consent for it ( again, not sure if this is the correct configuration for this )

SPA API Permissions

With the above configuration the user can freely login to the app without any "Request Admin Consent Request" popup visible at all.

Is what I am trying to achieve possible at all? If yes, what I am missing in my configuration? Any help would be much appreciated! Thanks!

EDIT #1 I've specified the api://id/Test.Read scope in the login request via msal-react

Answer 1

When an admin approves an admin consent request, they will usually grant consent on behalf of all users, not only on behalf of the user who requested access.

It sounds like you're looking for a strategy where each user needs to be approved (once) before they can use an app. This is more of a question of a user's authorization to access the app, rather than the app's authorization to access an API on behalf of a user (or a user's permission to grant that authorization).

You can consider the following option:

• Do not use prompt=consent (as a general rule, don't )
• Request only the delegated permissions your app actually needs. If the app doesn't need access to an API, just use scope=openid (or scope=openid profile , etc.)
• Configure the application to require assignment (under the Azure portal > Azure AD > Enterprise apps > (app) > Properties > Assignment required?).
• Grant admin consent for the app (on behalf of all users).

With the configuration above, you separate the authorization granted to the app (admin consent) from the authorization for users to access the app (assignment required). Only users who have been assigned the app will be able to sign in to the app. You can choose who can assign the app to users by making them owner of the app under Enterprise apps (ie owner of the app's service principal), or by assigning the app to a group and letting whoever owns the group decide.

The main downside of this approach is that there is currently no built-in "click here to request access" experience when a user tries to sign in to the app and they're not assigned.

As part of this strategy, you may also be interested in using the self-service app access feature.