
Azure AD Login flow to SPA application require admin approval for first login only

I have a SPA app registration in Azure AD and a react-based login flow using msal-react. Is it possible to make it so regular users are required to request access to the application only for the first login attempt to the app? After an admin approves it, it should no longer be needed to request it again. The things I've tried are:

SPA API Permissions

With the above configuration the user can freely login to the app without any "Request Admin Consent Request" popup visible at all.

Is what I am trying to achieve possible at all? If yes, what I am missing in my configuration? Any help would be much appreciated! Thanks!

EDIT #1 I've specified the api://id/Test.Read scope in the login request via msal-react


  • When an admin approves an admin consent request, they will usually grant consent on behalf of all users, not only on behalf of the user who requested access.

    It sounds like you're looking for a strategy where each user needs to be approved (once) before they can use an app. This is more of a question of a user's authorization to access the app, rather than the app's authorization to access an API on behalf of a user (or a user's permission to grant that authorization).

    You can consider the following option:

    With the configuration above, you separate the authorization granted to the app (admin consent) from the authorization for users to access the app (assignment required). Only users who have been assigned the app will be able to sign in to the app. You can choose who can assign the app to users by making them owner of the app under Enterprise apps (i.e. owner of the app's service principal), or by assigning the app to a group and letting whoever owns the group decide.

    The main downside of this approach is that there is currently no built-in "click here to request access" experience when a user tries to sign in to the app and they're not assigned.

    As part of this strategy, you may also be interested in using the self-service app access feature.