Cannot Login to APIM Developer Portal with Azure AD User; Admin Approval Mail Has No Approval Link

Question

Cannot Login to APIM Developer Portal with Azure AD User; Admin Approval Mail Has No Approval Link

Mohammad Iqbal 0

Issue: I have enabled “Enable User Sign-In with Azure Active Directory” for my Azure API Management (APIM) instance. However, when I attempt to log in to the Developer Portal using my Azure AD user, the login process fails due to missing admin approval.

Steps to Reproduce:

In the Developer Portal, I click Sign in.
I select the Azure Active Directory sign-in option.
A pop-up window appears requesting admin approval (see screenshot).
I click Request Approval and provide a reason.
An email is sent to the Azure AD admin for approval.

Problem: The administrator receives an email, but the email does not contain any approval link or actionable button to grant consent for the app.

What I Expected: The admin should receive an actionable approval link/button in the email to approve the app so users can sign in via Azure AD.

Additional Info:

Screenshot showing the "Admin approval required" prompt is attached (see above).
The app requesting approval: apim-acwnotificationfunctions-prod semler.dk
Permissions requested: Read directory data, sign in and read user profile, etc.
The process for app/AAD sign-in was either automatically provisioned or set up as per Microsoft documentation.

Rakesh Mishra 4,030 Reputation points Microsoft External Staff Moderator

2025-11-28T13:10:45.2266667+00:00
Hi @Mohammad Iqbal ,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Please check below and share your findings.

Configuration Verification: Ask your Azure AD admin to verify a few aspects of the Microsoft Entra application:

Under Authentication, ensure that access tokens and ID tokens are enabled.

Confirm the Redirect URI is correctly pointed to the Developer Portal.

Check the app permissions in the Azure Portal to ensure that Directory.ReadAll and User.Read permissions are granted.

Make sure admin consent has been granted for these permissions.

Republishing the Developer Portal: After any changes in the Azure AD settings or permissions, republish the portal to ensure that the updates take effect.

Automatic Enablement: If the AAD integration wasn't set up automatically, consider removing the existing Azure AD identity provider and allowing APIM to recreate it automatically. This often resolves issues relating to misconfiguration.

Reference:

Authenticate users with Azure AD in API Management

Troubleshooting Microsoft Entra authentication in API Management

APIM developer portal - frequently asked questions
Mohammad Iqbal 0 Reputation points

2025-12-01T09:32:43.4+00:00
Done

Already done

Already used automatic Enablement, so I expected that it should work. But still an issue, when logging in I am still prompted for.

Steps performed:

Clicked on 'Sign in'.

Clicked on 'Azure Active Directory'.

The approval window appeared.

Clicked on 'Send to approval'.

Current status: Under App registrations > Authentication > Settings, both Access tokens and ID tokens are currently not checked.

As shown in the attached screenshot, access will be granted based on organizational account membership, and the previous approval step is no longer needed.
Rakesh Mishra 4,030 Reputation points Microsoft External Staff Moderator

2025-12-01T09:45:58.1466667+00:00

Sorry, I cannot see any screenshots attached. I have reached out to you over Private message. Could you please share there.
Rakesh Mishra 4,030 Reputation points Microsoft External Staff Moderator

2025-12-01T16:25:52.9233333+00:00
As I suggested in my first comment, issue is that Admin consent is not granted in API Permissions in App registration similar as in screenshot below.

Please try below.

Tenant admin: grant tenant-wide admin consent directly (recommended). The admin can grant consent for that application so end users won’t need to request approval again: Azure portal → Microsoft Entra ID → App registrations (or Enterprise applications) → select the APIM app → API permissions → Grant admin consent for <Tenant>.

If the user is an external/guest account, make sure the guest is invited & accepted. Guest (B2B) users must be invited to the tenant (Entra → Users → Invite external user) or you must use Microsoft Entra External ID/B2B configuration for the developer portal. After inviting the guest, they must accept the invitation before signing in to the portal.

After consent/config changes: republish the developer portal.
Mohammad Iqbal 0 Reputation points

2025-12-05T06:34:55.2166667+00:00

Hello, Still an issue.

We have granted admin consent for our Tenant in the permission for APMI App registrations.

And it is internal user which log-in to the Developer Portal clicking on available button 'Active Directory'. Every time a popup window starts which requires a approval. The API admin receives a mail with the Request which does not contain any link to approve the User.
Rakesh Mishra 4,030 Reputation points Microsoft External Staff Moderator

2025-12-11T11:11:38.1033333+00:00
Hi @Mohammad Iqbal ,

Could you please ask admin to check below and share findings.

Confirm you granted consent on the Enterprise application (service principal) Azure portal → Azure Active Directory → Enterprise applications → All applications → find the app by name or client id (use the client id from APIM → Developer portal → Identities). Open the app → Permissions (or Permissions and consent) and verify it shows Granted for <Tenant>. If it doesn’t, click Grant admin consent here.

If you only granted consent under App registrations, repeat for Enterprise apps App registration and Enterprise application are separate objects. Granting only on App registrations does not always surface as granted at runtime — make sure the Enterprise application shows tenant consent.

Check the app identity the developer portal actually uses In APIM: APIM instance → Developer portal → Identities — copy the Application (client) ID and confirm that is the same client id you inspected in Enterprise applications.

Use the admin-consent URL to force consent An admin can open this URL (replace placeholders) and sign-in to approve:
https://login.microsoftonline.com/<tenant-id>/adminconsent? client_id=<application-client-id>&redirect_uri=<one-of-app-redirect-uris>
After the admin signs and approves, the app will be consented for the tenant.

Enable / check the Admin consent request workflow (if you want email-based approvals) Azure AD → Enterprise applications → User settings → Admin consent requests (Preview).

Ensure Users can request admin consent to apps they are unable to consent to is enabled.

Add the correct reviewer(s) (the mailbox that receives the notification). When configured correctly, the reviewer email will contain a link to the Admin consent requests page where they can approve. If this feature is not enabled, the request email may be informational only (no approve link).

After consent is granted republish the developer portal Changes to identity config sometimes require republishing: APIM → Developer portal → Republish.

3 answers

Your answer

Rakesh Mishra 4,030 Reputation points Microsoft External Staff Moderator

2025-11-28T13:10:45.2266667+00:00

Hi @Mohammad Iqbal ,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Please check below and share your findings.

Configuration Verification: Ask your Azure AD admin to verify a few aspects of the Microsoft Entra application:

Under Authentication, ensure that access tokens and ID tokens are enabled.

Confirm the Redirect URI is correctly pointed to the Developer Portal.

Check the app permissions in the Azure Portal to ensure that Directory.ReadAll and User.Read permissions are granted.

Make sure admin consent has been granted for these permissions.

Republishing the Developer Portal: After any changes in the Azure AD settings or permissions, republish the portal to ensure that the updates take effect.

Automatic Enablement: If the AAD integration wasn't set up automatically, consider removing the existing Azure AD identity provider and allowing APIM to recreate it automatically. This often resolves issues relating to misconfiguration.

Reference:

Authenticate users with Azure AD in API Management

Troubleshooting Microsoft Entra authentication in API Management

APIM developer portal - frequently asked questions
Mohammad Iqbal 0 Reputation points

2025-12-01T09:32:43.4+00:00

Done

Already done

Already used automatic Enablement, so I expected that it should work. But still an issue, when logging in I am still prompted for.

Steps performed:

Clicked on 'Sign in'.

Clicked on 'Azure Active Directory'.

The approval window appeared.

Clicked on 'Send to approval'.

Current status: Under App registrations > Authentication > Settings, both Access tokens and ID tokens are currently not checked.

As shown in the attached screenshot, access will be granted based on organizational account membership, and the previous approval step is no longer needed.
Rakesh Mishra 4,030 Reputation points Microsoft External Staff Moderator

2025-12-01T09:45:58.1466667+00:00

Sorry, I cannot see any screenshots attached. I have reached out to you over Private message. Could you please share there.
Rakesh Mishra 4,030 Reputation points Microsoft External Staff Moderator

2025-12-01T16:25:52.9233333+00:00

As I suggested in my first comment, issue is that Admin consent is not granted in API Permissions in App registration similar as in screenshot below.

Please try below.

Tenant admin: grant tenant-wide admin consent directly (recommended). The admin can grant consent for that application so end users won’t need to request approval again: Azure portal → Microsoft Entra ID → App registrations (or Enterprise applications) → select the APIM app → API permissions → Grant admin consent for <Tenant>.

If the user is an external/guest account, make sure the guest is invited & accepted. Guest (B2B) users must be invited to the tenant (Entra → Users → Invite external user) or you must use Microsoft Entra External ID/B2B configuration for the developer portal. After inviting the guest, they must accept the invitation before signing in to the portal.

After consent/config changes: republish the developer portal.
Mohammad Iqbal 0 Reputation points

2025-12-05T06:34:55.2166667+00:00

Hello, Still an issue.

We have granted admin consent for our Tenant in the permission for APMI App registrations.

And it is internal user which log-in to the Developer Portal clicking on available button 'Active Directory'. Every time a popup window starts which requires a approval. The API admin receives a mail with the Request which does not contain any link to approve the User.

Answer 1

It sounds like you are encountering an issue with the admin approval process for Azure Active Directory (Azure AD) when trying to log into the Azure API Management (APIM) Developer Portal. The absence of an actionable approval link in the email sent to the admin can be frustrating. Here are some steps you can take to resolve this issue:

Check Admin Consent Settings: Ensure that the Azure AD admin has the necessary permissions to grant consent for the application. The admin can sign in to the Azure Portal and navigate to Azure Active Directory > Enterprise Applications > [Your App] > Permissions to review the permissions requested and grant consent if necessary.
Use the Admin Consent Endpoint: If the admin is not receiving an actionable link, they can manually grant permissions using the admin consent endpoint. This can be done by following the instructions in the Microsoft documentation regarding administrative consent for applications.
Contact Microsoft Support: If the issue persists, it may be beneficial to contact Microsoft support for further assistance, as they can provide specific insights into your Azure AD configuration and the application in question.
Review Documentation: Make sure that the setup of the app and the permissions requested align with the guidelines provided in the Microsoft documentation for Azure API Management and Azure AD integration.

By following these steps, you should be able to resolve the issue and allow users to sign in via Azure AD successfully.

Answer 2

Mohammad Iqbal 0

Hello,

It is inded,

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 3

Mohammad Iqbal 0

2025-12-02_12-58-46.jpg Check the following screenshot.

Share via

Cannot Login to APIM Developer Portal with Azure AD User; Admin Approval Mail Has No Approval Link

3 answers

Your answer