In BoldDesk, users may encounter login issues when signing in via Microsoft Single Sign-On (SSO), particularly when Microsoft displays an “Approval Required” prompt. This typically occurs due to permission restrictions or consent policies configured in Azure Active Directory (Azure AD).

This article outlines the reasons behind this approval request and provides steps to resolve it effectively.

Why is Approval Requested?

During user login, BoldDesk requests access to sensitive Microsoft 365 data and resources such as the user profile, email, and Teams, which require admin consent within Azure Active Directory (Azure AD). As a result, Microsoft may prompt for admin approval, especially in Azure AD environments with strict consent policies.

Common Causes

The “Approval Required” prompt in Microsoft SSO typically occurs due to tenant-level consent and permission settings within Microsoft Entra ID. Understanding the underlying causes can help administrators quickly identify why access is being blocked and take appropriate action.

1. Admin Consent Required for Permissions

If any requested Microsoft Graph permissions require admin approval and consent has not been granted, sign-in will be blocked.

2. Limited Consent Scope

Consent may have been granted only to:

• Specific users
• A security group
• An administrator account

Users outside this scope will still see the “Approval Required” prompt.

3. Admin Consent Workflow Enabled

If Admin Consent Workflow is enabled in the tenant, users must request access and wait for an administrator to approve the application before signing in.

4. Updated Application Permissions

If BoldDesk has updated the permissions it requests, previously granted consent may no longer be sufficient. This can trigger the approval prompt again.

Resolution

Resolving this issue requires action from a Microsoft Entra ID (Azure AD) administrator to review and adjust application consent settings. The following steps outline how to grant the necessary permissions and restore seamless SSO access for users.

Resolution Step

Action Required from Azure AD Administrator

Contact your Microsoft Entra ID administrator and request them to:

• Approve the BoldDesk enterprise application
• Grant consent for all required permissions
• Ensure consent applies to the correct scope:
  • Tenant-wide (recommended), or
  • Specific groups/users as needed

For more details, refer to Microsoft’s documentation on, Admin Consent Workflow.
On setting up SSO with Azure AD, please refer to this documentation: How to Integrate Single Sign-On (SSO) with BoldDesk.

Frequently Asked Questions

1. Is “Approval Required” a BoldDesk error?
   No. This prompt is generated by Microsoft Entra ID based on tenant consent policies.

2. Why do only some users see this prompt?
   Consent may have been granted only to specific users or groups, or policies may differ across users.

3. Can end users resolve this themselves?
   No. If admin consent is required, only an Azure AD administrator can approve access.

4. Why did it work before but not now?
   This can occur if:

   • Tenant consent policies were updated
   • The application requested new permissions

5. Can BoldDesk integrate with Office 365 GCC High for features such as Single Sign-On (SSO) and access to shared mailboxes?
   No. BoldDesk supports Microsoft 365 (commercial tenants) for SSO and email integrations. Office 365 GCC High, being a separate government cloud environment, is not natively supported for SSO or shared mailbox integrations at this time.

Related Articles

1. Installing and Configuring The Microsoft Entra ID
2. How to Set Up BoldDesk with Azure AD Single Sign-On (SSO)