You probably noticed that you can't use the Azure AD connector in Flow without a Global Administrator account. You will get the error below if you try to connect:
You will get an error that looks like this:
Need admin approval
Azure AD Connector – PowerApps and Flow
Azure AD Connector – PowerApps and Flow needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
Message: AADSTS900941: An administrator of SuperTeam has set a policy that prevents you from granting Azure AD Connector – PowerApps and Flow the permissions it is requesting. Contact an administrator of SuperTeam who can grant permissions to this application on your behalf.
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
This error occurs because the user doesn't have permissions to use this connector. This is expected if a Global Administrator did not consent on behalf of the organization to use the Azure AD connector.
Word of advice: don't consent on behalf of your organization for this connector. Read further and you will understand why.
Some Global Administrators would like to grant consent to other users to use this connector without granting the Global Administrator role to these users. Usually this is needed when a user is appointed to develop an integration with Azure AD.
To grant permission to a single user, a Global Administrator has to follow the steps below. Note that this method will give the user the following permissions over AAD: Directory.ReadWrite.All, Group.ReadWrite.All, User.ReadWrite.All.
Make sure you know what you are doing before going through these steps:
- Go to Azure Portal and login
- Click on the Azure Active Directory Blade and go to Enterprise applications
Search for this application ID in Enterprise applications: 2bed6734-1911-40e6-ac44-00d79d70d2bc and copy the object ID
- Search for this application ID in Enterprise applications: e7712fcb-ff8b-46a3-9dc7-869fa577ef50 (MSFT Power Platform – Azure AD)
If you can't find the application, then it means it hasn't been provisioned yet. To provision the app simply go to Flow and login with a Global Administrator account and create a connection to Azure AD.
- Once you copied the Object ID go to Azure AD Graph Explorer, login with your Global Administrator account and run a GET request on this resource: https://graph.windows.net/myorganization/oauth2PermissionGrants
- This request will return the OAuth 2 permission grants in your organization.
- Search (CTRL+F in the response window) for the Object ID you copied in the previous step and copy the permission grant. If you can't find it then it means that the response from AAD Graph was paginated and the permission grant is probably on the next page. You will find a continuation token at the bottom of the response in the @odata:nextLink property which you can use to run the request again (e.g.
- Next step is to go to AAD and get the Object ID of your user:
- Change the request method to POST, paste the permission grant in the request window, replace the principalID property with the Object ID you copied in the previous step, and hit Go. If you did everything right, the response should look like below – it will return the permission grant as a response (step 4):
- The user should be able to create a connection to Azure AD now:
If you have issues with this procedure, please leave a comment.