Share via

Getting error for enterprise application

Jack Marti 0 Reputation points
2026-03-04T19:56:06.44+00:00

I have a user who cannot connect their outlook account calendar. Permissions have been provided via Entra and they are added to this list. However, every time they log in, it says admin approval is needed. When I try to login as an admin, it connects my account/credentials.

I've never had this issue before and have had 50+ users use this application without issue. This is the diagnostic report, but permissions to my knowledge have been set and should be user consent based.

1. Summary

Based on the information provided, the user was trying to sign into Workstream but the sign-in failed because admin consent is required for the permissions requested by this application (error code 90094).

2. Context Explanation

The user initiated an interactive browser sign-in from using Edge. The first-factor authentication succeeded, indicating that Chloe’s credentials were valid. However, when the Workstream application attempted to acquire a token for Microsoft Graph, Azure AD blocked the request because the application’s delegated permissions require tenant-wide (admin) approval. No conditional access policies impacted this sign-in.

3. Troubleshooting Guidance

Ask a tenant administrator to grant consent for the permissions Workstream requires. In the Azure portal, go to Azure Active Directory > Enterprise applications > Workstream > Permissions, then select “Grant admin consent.” If your organization restricts user consent, ensure that the required Graph permissions are approved in App registrations > Workstream > API permissions and grant admin consent there as needed. Once consent is granted, Chloe’s sign-in should succeed.

6. Authentication Details

Date

Auth method

Results

Requirement

2026-03-04T19:40:47Z

Previously satisfied

Success – First factor requirement satisfied by claim in the token

singleFactorAuthentication

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 46,995 Reputation points Microsoft External Staff Moderator
    2026-03-10T08:58:58.11+00:00

    Hello @Jack Marti,

    The AADSTS90094 error occurs when a non-administrator user attempts to use an application that requires consent, but the company administrator has turned off the ability for users to consent to applications.

    Symptom: When admin consent workflow is disabled, users will see this error message saying “Need admin approval”. Error code on sign-in log is AADSTS90094.

    consent1

    Solutions

    CAUSE 1 The Request Includes "prompt=consent"

    The request from the app to Entra ID includes “prompt=consent”.

    SOLUTION for the CAUSE 1: In this case, Entra ID will honor “prompt=consent” and prompt consent even when admin consent is already granted. The solution is asking the app vendor/owner to remove “prompt=consent” in the request from the app to Entra ID.

    Reference for 'prompt' parameter.

    CAUSE 2 Microsoft detects risky permissions request.

    Check Audit Logs - ApplicationManagement - Consent to application - Risky application detected.

    SOLUTION for the CAUSE 2: Review risk detection and approve if valid. Reference.

    CAUSE 3 User assignment required but no admin consent given

    Check Enterprise app - Properties - 'User assignment required' is set to 'Yes'.

    SOLUTION for the CAUSE 3: To allow user consent, disable user assignment required. Reference.

    0 comments
  2. Q&A Assist
    2026-03-04T19:56:23.7666667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Error AADSTS90094 indicates that the permissions requested by the Workstream enterprise application require admin consent and haven’t been granted for the tenant or for this specific configuration.

    To resolve for this user:

    1. Verify tenant-wide consent and permissions
      1. In Azure portal, go to Microsoft Entra IDEnterprise applications → select Workstream.
      2. Under Security or Permissions (depending on portal view), open the Permissions pane.
      3. Select Grant admin consent for <TenantName> so that all requested Microsoft Graph (and other) delegated permissions are approved at admin level.
      4. Confirm that the status for each permission shows as “Granted for <TenantName>”.
    2. Check user-consent policy
      1. In Microsoft Entra IDEnterprise applicationsConsent and permissions.
      2. Under User consent for applications, confirm whether:
        • Allow user consent for apps is enabled, or
        • If Do not allow user consent is set, ensure admin consent (step 1) is completed; otherwise users will always see “Need admin approval”.
    3. Confirm the correct app and service principal
      1. In Enterprise applications, set Application type to All applications and search for the exact App ID shown in the error/diagnostic report.
      2. Make sure the service principal for that App ID exists. If it doesn’t, re-initiate sign-in and perform admin consent when prompted.
    4. Verify assignment requirements for this app
      1. In Enterprise applicationsWorkstreamProperties.
      2. Check Assignment required:
        • If Yes, ensure the affected user is explicitly assigned to the app (Users and groups → Add user/group).
        • If admin consent is granted but the user is not assigned, sign-in will still fail.
    5. Compare requested vs granted permissions
      • If Workstream was updated to request new Graph scopes after the original admin consent, the new scopes may not be granted. Re-run Grant admin consent so that all currently requested scopes are approved.
    6. If Workstream is registered in the tenant (owned app)
      1. Go to App registrationsWorkstreamAPI permissions.
      2. Ensure at least Microsoft Graph → User.Read (or OpenId/sign-in equivalent) is present and shows as Granted for <TenantName>.
      3. If status is Pending/blank, use Grant admin consent there as well.

    Once tenant-wide admin consent is correctly granted for the exact Workstream app ID, and the user is assigned if required, the user’s sign-in and calendar connection should succeed without further “Need admin approval” prompts.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.