AZURE

AADSTS90093 - Admin Consent Required

Azure AADSTS90093 is an administrative-approval failure. It indicates that the application is requesting high-privilege API scopes, such as `Directory.Read.All`, or that tenant policy forbids standard users from granting consent to any applications.

Last reviewed: April 8, 2026|Editorial standard: source-backed technical guidance

What Does Admin Consent Required Mean?

AADSTS90093 is a privilege-escalation signal. Microsoft Entra ID has determined that the requested permissions, either because they are application permissions or broad delegated scopes, could expose sensitive organizational data. As a result, Entra requires a Global Administrator or another suitably privileged role to approve the app on behalf of the tenant. It is the clearest signal that the app’s permission model has exceeded the current user’s authority.

Common Causes

-High-Risk Delegated Scopes: The app requests permissions such as User.Read.All, Group.ReadWrite.All, or RoleManagement.Read.Directory.
-Application-Only Permissions: Any permission requested through app-only patterns such as /.default for client-credentials flow requires admin consent.
-Restrictive Tenant Policy: The organization has disabled user consent entirely, making even otherwise low-risk consent paths admin-only.
-Multi-Tenant Onboarding: A new customer tenant is trying the app, but their IT department has not yet approved it for the organization.
-Unverified Publisher Restrictions: The tenant blocks consent to apps from unverified publishers beyond basic identity scopes.

How to Fix Admin Consent Required

1Use The Admin Consent URL: Provide IT admins with a direct admin-consent link for the tenant and app registration.
2Use The Grant Button In Entra: In App Registrations > API Permissions, click Grant admin consent for the tenant after validating the scope set.
3Downscope The Request: Audit the requested permissions and confirm you actually need privileged directory-wide access.
4Check Enterprise App Settings: Verify the enterprise application is not additionally blocked or restricted in the target tenant.

Step-by-Step Diagnosis for Admin Consent Required

1Identify the specific scope or permission mentioned in the error response and determine whether it is admin-consent-only.
2Open Entra sign-in logs and confirm the failure reason is tied to tenant-wide policy or privileged permission approval.
3Verify the current user’s role. A standard user cannot clear AADSTS90093 no matter how many times they retry.
4Check tenant-level consent settings to confirm whether user consent is disabled or restricted.

AADSTS90093 vs AADSTS65001

-AADSTS65001: The user may be allowed to grant consent, but the approval is still missing.
-AADSTS90093: The current user is not allowed to grant the requested permission set at all.

Application vs Delegated Permissions

-Delegated Permissions: The app acts as the user. Some can be user-consented, others require an admin.
-Application Permissions: The app acts as itself in background flows and always requires admin consent.

Implementation Examples

Detecting AADSTS90093 to Trigger Admin Guidancejavascript

try {
  const response = await msalInstance.loginPopup(loginRequest);
} catch (error) {
  if (error.errorCode === "AADSTS90093") {
    // Show a specific UI: your IT admin needs to approve this app
    redirectToAdminInstructions();
  }
}

Grant Admin Consent via CLIbash

# Grant tenant-wide consent for all configured permissions
az ad app permission admin-consent --id <client-id>

How to Verify the Fix

-Confirm the Status column in the API Permissions view shows Granted for the required permissions.
-Verify that a non-admin user can now complete sign-in without hitting the admin-approval block.
-Check Enterprise Applications > Permissions and confirm the organizational grant was recorded correctly.

How to Prevent Recurrence

-Design For Multi-Tenancy: If the app is SaaS, provide an explicit admin setup step before expecting end users to sign in.
-Use Least Privilege: Prefer user-consent-friendly scopes where possible to reduce onboarding friction.
-Verify Publisher Identity: Publisher verification reduces the chance of being blocked by conservative consent policies.
-Pro tip: For enterprise apps, document exactly which admin-level scopes are needed and why. That shortens customer security review and speeds up approval.

Decision Support

Compare Guide

401 Unauthorized vs 403 Forbidden: Auth vs Access Denied

Fix 401 Unauthorized vs 403 Forbidden by separating authentication failures from authorization denials, then apply the right login or permission fix fast.

Compare Guide

403 Forbidden vs 404 Not Found: When to Hide Resources

Use 403 for explicit access denial, or 404 to conceal resource existence when security policy requires reducing endpoint and object enumeration risk.

Playbook

Authorization Denial Playbook (403 / AccessDenied / PERMISSION_DENIED)

Use this playbook to triage policy-based access denials after authentication succeeds, isolate the deny layer, and apply least-privilege remediation safely.

Official References

Provider Context

This guidance is specific to Azure services. Always validate implementation details against official provider documentation before deploying to production.

What Does Admin Consent Required Mean?

Common Causes

-High-Risk Delegated Scopes: The app requests permissions such as User.Read.All, Group.ReadWrite.All, or RoleManagement.Read.Directory.

-Application-Only Permissions: Any permission requested through app-only patterns such as /.default for client-credentials flow requires admin consent.

-Restrictive Tenant Policy: The organization has disabled user consent entirely, making even otherwise low-risk consent paths admin-only.

-Multi-Tenant Onboarding: A new customer tenant is trying the app, but their IT department has not yet approved it for the organization.

-Unverified Publisher Restrictions: The tenant blocks consent to apps from unverified publishers beyond basic identity scopes.

How to Fix Admin Consent Required

1Use The Admin Consent URL: Provide IT admins with a direct admin-consent link for the tenant and app registration.

2Use The Grant Button In Entra: In App Registrations > API Permissions, click Grant admin consent for the tenant after validating the scope set.

3Downscope The Request: Audit the requested permissions and confirm you actually need privileged directory-wide access.

4Check Enterprise App Settings: Verify the enterprise application is not additionally blocked or restricted in the target tenant.

Step-by-Step Diagnosis for Admin Consent Required

1Identify the specific scope or permission mentioned in the error response and determine whether it is admin-consent-only.

2Open Entra sign-in logs and confirm the failure reason is tied to tenant-wide policy or privileged permission approval.

3Verify the current user’s role. A standard user cannot clear AADSTS90093 no matter how many times they retry.

4Check tenant-level consent settings to confirm whether user consent is disabled or restricted.

AADSTS90093 vs AADSTS65001

-AADSTS65001: The user may be allowed to grant consent, but the approval is still missing.
-AADSTS90093: The current user is not allowed to grant the requested permission set at all.

Application vs Delegated Permissions

-Delegated Permissions: The app acts as the user. Some can be user-consented, others require an admin.
-Application Permissions: The app acts as itself in background flows and always requires admin consent.

Implementation Examples

Detecting AADSTS90093 to Trigger Admin Guidancejavascript

try {
  const response = await msalInstance.loginPopup(loginRequest);
} catch (error) {
  if (error.errorCode === "AADSTS90093") {
    // Show a specific UI: your IT admin needs to approve this app
    redirectToAdminInstructions();
  }
}

Grant Admin Consent via CLIbash

# Grant tenant-wide consent for all configured permissions
az ad app permission admin-consent --id <client-id>

How to Prevent Recurrence

-Design For Multi-Tenancy: If the app is SaaS, provide an explicit admin setup step before expecting end users to sign in.

-Use Least Privilege: Prefer user-consent-friendly scopes where possible to reduce onboarding friction.

-Verify Publisher Identity: Publisher verification reduces the chance of being blocked by conservative consent policies.

-Pro tip: For enterprise apps, document exactly which admin-level scopes are needed and why. That shortens customer security review and speeds up approval.

What Does Admin Consent Required Mean?

Common Causes

How to Fix Admin Consent Required

Step-by-Step Diagnosis for Admin Consent Required

AADSTS90093 vs AADSTS65001

Application vs Delegated Permissions

Implementation Examples

How to Verify the Fix

How to Prevent Recurrence

Related Errors

Decision Support

401 Unauthorized vs 403 Forbidden: Auth vs Access Denied

403 Forbidden vs 404 Not Found: When to Hide Resources

Authorization Denial Playbook (403 / AccessDenied / PERMISSION_DENIED)

Official References

Provider Context

What Does Admin Consent Required Mean?

Common Causes

How to Fix Admin Consent Required

Step-by-Step Diagnosis for Admin Consent Required

AADSTS90093 vs AADSTS65001

Application vs Delegated Permissions

Implementation Examples

How to Verify the Fix

How to Prevent Recurrence

Related Errors

Decision Support

401 Unauthorized vs 403 Forbidden: Auth vs Access Denied

403 Forbidden vs 404 Not Found: When to Hide Resources

Authorization Denial Playbook (403 / AccessDenied / PERMISSION_DENIED)

Official References

Provider Context