When Trying to Grant Tenant-Level Authorization for an Application Created on SharePoint Online, the Received “Your tenant administrator has to approve this app.” Error and its Solution

Yunus Emre Araç
3 min readApr 13, 2023

Reference: https://www.yunusemrearac.com/2023/04/13/sharepoint-online-uzerinde-olusturulmus-uygulama-icin-tenant-seviyesinde-yetki-verilmeye-calisildiginda-alinan-your-tenant-administrator-has-to-approve-this-app-hatasi-ve-cozumu/

Hello friends today, when you define an authorization for an app that you have created on SharePoint Online, you will get “Your tenant administrator has to approve this app” when you try to define an authorization at the “tenant” level for the authorization level. I will tell you about his mistake and his solution.

When you want to give permission for the app you created before by adding “/_layouts/15/AppInv.aspx” to the end of your Sharepoint online address, we need to write the xml code according to the authorization level in the “Permission Request XML” section. Since I have talked about app creation and authorization levels in my previous blogs, I will proceed without giving too much detail in this section.

If you do it as http://sharepoint/content/tenant in the scope section and you want to give permission at the tenant level, you will encounter an error like the one above.

Since this authorization level is at the tenant level, that is, at the top level of your site, an authorization level that requires tenant admin approval is required. It will not matter if you log in to your SharePoint address with the tenant admin user. As I said, you need to do this at the “SharePoint Online Admin” level, since your site has an authority on it.

At this stage, you must first login to your sharepoint online admin address. In other words, we go to the admin site and log in by typing your sharepoint domain in the “TenantName” field as https://TenantName-admin.sharepoint.com/". Now in this section, we go to the app permission authorization page by typing “/_layouts/15/AppInv.aspx” at the end of our admin address.

On the app permissin page to be opened here, you can enter your “App Id” information and click the “Lookup” button to bring your app information. Then, by typing the authorization xml information, we create the authorization with the “Create” button.

As you can see above, the authorization process we have done here proceeded without any errors, and I can complete the authorization process by clicking the “Trust It” button.

The thing you should not forget here is that you will have defined an authorization level that will be able to access all your sites and your sharepoint system on the basis of the tenant, that is, the admin authority, not only on the basis of the site you created in the app. If you do not need a work and authorization at this level, I recommend that you do not make an authorization at this level of authorization.



Yunus Emre Araç

Technology Product Manager of Corporate Applications at ING | Old Microsoft Student Partners Lead | İnönü Üniv. Bilg. Müh. | İAU Bilg. Müh. Tezli Yüksek Lisans