AZURE

AADSTS90093 - Admin Consent Required

Azure AADSTS90093 is an administrative-approval failure. It indicates that the application is requesting high-privilege API scopes, such as `Directory.Read.All`, or that tenant policy forbids standard users from granting consent to any applications.

Last reviewed: April 8, 2026|Source-backed guidance under our editorial policy

Start Here

Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.

This page is part of the Error Reference library. Learn more about the project or report a correction.

What Does Admin Consent Required Mean?

AADSTS90093 is a privilege-escalation signal. Microsoft Entra ID has determined that the requested permissions, either because they are application permissions or broad delegated scopes, could expose sensitive organizational data. As a result, Entra requires a Global Administrator or another suitably privileged role to approve the app on behalf of the tenant. It is the clearest signal that the app’s permission model has exceeded the current user’s authority.

Common Causes

-High-Risk Delegated Scopes: The app requests permissions such as User.Read.All, Group.ReadWrite.All, or RoleManagement.Read.Directory.
-Application-Only Permissions: Any permission requested through app-only patterns such as /.default for client-credentials flow requires admin consent.
-Restrictive Tenant Policy: The organization has disabled user consent entirely, making even otherwise low-risk consent paths admin-only.
-Multi-Tenant Onboarding: A new customer tenant is trying the app, but their IT department has not yet approved it for the organization.
-Unverified Publisher Restrictions: The tenant blocks consent to apps from unverified publishers beyond basic identity scopes.

How to Fix Admin Consent Required

1Use The Admin Consent URL: Provide IT admins with a direct admin-consent link for the tenant and app registration.
2Use The Grant Button In Entra: In App Registrations > API Permissions, click Grant admin consent for the tenant after validating the scope set.
3Downscope The Request: Audit the requested permissions and confirm you actually need privileged directory-wide access.
4Check Enterprise App Settings: Verify the enterprise application is not additionally blocked or restricted in the target tenant.

Step-by-Step Diagnosis for Admin Consent Required

1Identify the specific scope or permission mentioned in the error response and determine whether it is admin-consent-only.
2Open Entra sign-in logs and confirm the failure reason is tied to tenant-wide policy or privileged permission approval.
3Verify the current user’s role. A standard user cannot clear AADSTS90093 no matter how many times they retry.
4Check tenant-level consent settings to confirm whether user consent is disabled or restricted.

AADSTS90093 vs AADSTS65001

-AADSTS65001: The user may be allowed to grant consent, but the approval is still missing.
-AADSTS90093: The current user is not allowed to grant the requested permission set at all.

Application vs Delegated Permissions

-Delegated Permissions: The app acts as the user. Some can be user-consented, others require an admin.
-Application Permissions: The app acts as itself in background flows and always requires admin consent.

Implementation Examples

Detecting AADSTS90093 to Trigger Admin Guidancejavascript

try {
  const response = await msalInstance.loginPopup(loginRequest);
} catch (error) {
  if (error.errorCode === "AADSTS90093") {
    // Show a specific UI: your IT admin needs to approve this app
    redirectToAdminInstructions();
  }
}

Grant Admin Consent via CLIbash

# Grant tenant-wide consent for all configured permissions
az ad app permission admin-consent --id <client-id>

Seen in Production

Enterprise SaaS blocked by tenant approval policy

Frequency: high

Example: A user in a large bank tries to use a productivity app. The bank has user consent turned off for security, so the user hits AADSTS90093 immediately.

Fix: Provide the bank’s IT team with an admin-setup link so they can approve the app globally before end-user sign-in.

Debugging Tools

-Entra ID App Registration Portal: Best place to review and grant app permissions.
-Enterprise Apps What If and Consent Settings: Helpful for understanding whether tenant policy is forcing admin-only approval.
-Microsoft Graph Explorer: Useful for inspecting grants through endpoints such as /oauth2PermissionGrants.

How to Verify the Fix

-Confirm the Status column in the API Permissions view shows Granted for the required permissions.
-Verify that a non-admin user can now complete sign-in without hitting the admin-approval block.
-Check Enterprise Applications > Permissions and confirm the organizational grant was recorded correctly.

How to Prevent Recurrence

-Design For Multi-Tenancy: If the app is SaaS, provide an explicit admin setup step before expecting end users to sign in.
-Use Least Privilege: Prefer user-consent-friendly scopes where possible to reduce onboarding friction.
-Verify Publisher Identity: Publisher verification reduces the chance of being blocked by conservative consent policies.
-Pro tip: For enterprise apps, document exactly which admin-level scopes are needed and why. That shortens customer security review and speeds up approval.

Official References

Provider Context

This guidance is specific to Azure services. Always validate implementation details against official provider documentation before deploying to production.

What Does Admin Consent Required Mean?

Common Causes

-High-Risk Delegated Scopes: The app requests permissions such as User.Read.All, Group.ReadWrite.All, or RoleManagement.Read.Directory.

-Application-Only Permissions: Any permission requested through app-only patterns such as /.default for client-credentials flow requires admin consent.

-Restrictive Tenant Policy: The organization has disabled user consent entirely, making even otherwise low-risk consent paths admin-only.

-Multi-Tenant Onboarding: A new customer tenant is trying the app, but their IT department has not yet approved it for the organization.

-Unverified Publisher Restrictions: The tenant blocks consent to apps from unverified publishers beyond basic identity scopes.

How to Fix Admin Consent Required

1Use The Admin Consent URL: Provide IT admins with a direct admin-consent link for the tenant and app registration.

2Use The Grant Button In Entra: In App Registrations > API Permissions, click Grant admin consent for the tenant after validating the scope set.

3Downscope The Request: Audit the requested permissions and confirm you actually need privileged directory-wide access.

4Check Enterprise App Settings: Verify the enterprise application is not additionally blocked or restricted in the target tenant.

Step-by-Step Diagnosis for Admin Consent Required

1Identify the specific scope or permission mentioned in the error response and determine whether it is admin-consent-only.

2Open Entra sign-in logs and confirm the failure reason is tied to tenant-wide policy or privileged permission approval.

3Verify the current user’s role. A standard user cannot clear AADSTS90093 no matter how many times they retry.

4Check tenant-level consent settings to confirm whether user consent is disabled or restricted.

AADSTS90093 vs AADSTS65001

-AADSTS65001: The user may be allowed to grant consent, but the approval is still missing.
-AADSTS90093: The current user is not allowed to grant the requested permission set at all.

Application vs Delegated Permissions

-Delegated Permissions: The app acts as the user. Some can be user-consented, others require an admin.
-Application Permissions: The app acts as itself in background flows and always requires admin consent.

Implementation Examples

Detecting AADSTS90093 to Trigger Admin Guidancejavascript

try {
  const response = await msalInstance.loginPopup(loginRequest);
} catch (error) {
  if (error.errorCode === "AADSTS90093") {
    // Show a specific UI: your IT admin needs to approve this app
    redirectToAdminInstructions();
  }
}

Grant Admin Consent via CLIbash

# Grant tenant-wide consent for all configured permissions
az ad app permission admin-consent --id <client-id>

Seen in Production

Enterprise SaaS blocked by tenant approval policy

Frequency: high

Example: A user in a large bank tries to use a productivity app. The bank has user consent turned off for security, so the user hits AADSTS90093 immediately.

Fix: Provide the bank’s IT team with an admin-setup link so they can approve the app globally before end-user sign-in.

Debugging Tools

-Entra ID App Registration Portal: Best place to review and grant app permissions.

-Enterprise Apps What If and Consent Settings: Helpful for understanding whether tenant policy is forcing admin-only approval.

-Microsoft Graph Explorer: Useful for inspecting grants through endpoints such as /oauth2PermissionGrants.

How to Prevent Recurrence

-Design For Multi-Tenancy: If the app is SaaS, provide an explicit admin setup step before expecting end users to sign in.

-Use Least Privilege: Prefer user-consent-friendly scopes where possible to reduce onboarding friction.

-Verify Publisher Identity: Publisher verification reduces the chance of being blocked by conservative consent policies.

-Pro tip: For enterprise apps, document exactly which admin-level scopes are needed and why. That shortens customer security review and speeds up approval.

Start Here

What Does Admin Consent Required Mean?

Common Causes

How to Fix Admin Consent Required

Step-by-Step Diagnosis for Admin Consent Required

AADSTS90093 vs AADSTS65001

Application vs Delegated Permissions

Implementation Examples

Seen in Production

Enterprise SaaS blocked by tenant approval policy

Debugging Tools

How to Verify the Fix

How to Prevent Recurrence

Related Errors

Official References

Provider Context

Start Here

What Does Admin Consent Required Mean?

Common Causes

How to Fix Admin Consent Required

Step-by-Step Diagnosis for Admin Consent Required

AADSTS90093 vs AADSTS65001

Application vs Delegated Permissions

Implementation Examples

Seen in Production

Enterprise SaaS blocked by tenant approval policy

Debugging Tools

How to Verify the Fix

How to Prevent Recurrence

Related Errors

Official References

Provider Context