Search code examples
azureoauth-2.0azure-active-directorypostman

Getting a token from Microsoft Intra ID with PostMan using MFA

I am trying to get an access token from Microsoft Intra ID with Postman. I have created an app registrations with a secret:

enter image description here

The App registration has User.Read permission: enter image description here

I have set up following authentication: enter image description here

In postman I have following:

In the URL I Have a post with: https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/authorize

In the Auth tab I have following: enter image description here

When I click Get New Access Token PostMan opens a browser, and I can enter my credentials and MFA. However I get following error message:

enter image description here

Solution

  • The error "Need admin approval" usually occurs if the user consent is disabled in the tenant level or if the admin consent is not granted to the Microsoft Entra ID application API permissions.

    In your scenario as you granted User.Read API permission and as this API permission do not require admin consent cross verify if the user consent is disabled.

    Initially I registered a Microsoft Entra ID application and added API permissions:

    enter image description here

    And got the same error:

    enter image description here

    To resolve the error, enable the user consent flow like below:

    Go to Azure Portal -> Enterprise application -> Consent and permissions -> User consent settings -> Enable the option Allow user consent for apps -> Save

    To configure the below setting, you need to have Privileged Role Administrator role or Global Admin role.

    enter image description here

    After the above setting, wait for some time and try to authorize user

    I used the below endpoint to authorize the user:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=RedirectURL
&response_mode=query
&scope=openid profile user.read
&state=12345

    enter image description here

    The user is authorized successfully:

    enter image description here

    Tokens are generated successfully:

    GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id : ClientID
grant_type : authorization_code
scope : scope
redirect_uri : RedirectURL
code : Code
client_secret : ClientSecret

    enter image description here

    You can also try to configure Admin consent workflow if still the issue persists.

    Reference:

    Configure how users consent to applications - Microsoft Entra ID | Microsoft