Problem
A user with any app role in Tikit and is not an admin in your AAD tenant, when the user logs into the Tikit web app at https://web.tikit.ai the agent sees the following message from Microsoft:
Solution
The Tikit web app may have new permissions that need to be approved by an admin.
Approve the Tikit permissions on behalf of your organization by logging into https://web.tikit.ai as an AAD admin and checking Consent on behalf of your organization.
If not prompted, the permissions may have been previously consented to for the logged in admin only and not on behalf of the organization. That can be resolved by either revoking the permissions for Tikit and consenting fresh, or by consenting on behalf of your organization with a separate AAD admin account.
Warning that users may have issues accessing Tikit during the time permissions are removed, but this should only be for a very short period as the very next steps are to re-consent.
- Check for User Consent entries in the Azure Active Directory > Enterprise Applications > Tikit:
- Login to the Azure portal, then open Azure Active Directory > Enterprise Applications.
- Once in Enterprise Applications, select Manage > All applications, then search for and select Tikit.
- Once in the Tikit Enterprise Application page, select Security > Permissions on the left, then select the User Consent tab and confirm that there are entries for a specific user. This is most likely the admin you’d like to grant permissions.
- Using PowerShell, revoke all permissions for Tikit.
- Note there is an Alternative Step below if you do not want to use PowerShell to revoke permissions. The alternative will completely remove the Tikit Enterprise Application entry and then re-add it. Warning that users may have issues accessing Tikit during the time permissions are removed, but this should only be for a very short period as the very next steps are to re-consent.
- From the Security > Permissions page, select Review Permissions.
- Once the Review permissions flyout is open, select This application has more permissions than I want, then use the provided Azure Active Directory PowerShell script to revoke all permissions for Tikit. If you haven’t installed the Azure AD Module in PowerShell yet, check out Install Azure Active Directory PowerShell for Graph.
- Once the permissions are revoked, refresh Tikit Enterprise Application permissions and confirm that the User consent tab no longer has any entries.
- Select Grant admin consent to consent to the Tikit application permissions.
- Once consented, continue to the next step to consent to the Tikit web app’s permissions on behalf of your organization.
As an AAD admin, login to https://web.tikit.ai and when prompted to consent to application permissions, make sure that Consent on behalf of your organization is checked then select Accept.
- No PowerShell – Removing the Tikit Enterprise Applications entry and re-adding admin consent.
- This alternative step avoids the use of the Azure Active Directory PowerShell Module and can be done entirely from a browser and the Azure portal. Once completed, you can continue on to the previous step above.
- Login to the Azure portal, then open Azure Active Directory and locate your Tenant ID to use later (e.g, ef6ac50c-97c8-4da9-b2c9-206b54f68cce).
- Once you have your Tenant ID, open Manage > Enterprise Applications.
- Once in Enterprise Applications, select Manage > All applications, then search for and select Tikit.
- Once in the Tikit Enterprise Application page, select Manage > Properties on the left, then select Delete.
Warning that users may have issues accessing Tikit during the time permissions are removed, but this should only be for a very short period as the very next steps are to re-consent.
- Once in the Tikit Enterprise Application page, select Manage > Properties on the left, then select Delete.
- Open the following URL to provide admin consent for Tikit, replacing the {tenant-id} with your Tenant ID.
Want to learn more about what this URL does? Check out Construct the URL for granting tenant-wide admin consent.- https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=b13c40ee-e073-459e-96b5-3f3cca046a37&redirect_uri=https://app.tikit.ai/teams/consented
- A window will open from the Azure portal to prompt for tenant-wide admin consent for Tikit. Select Accept to grant consent and re-add Tikit back to Enterprise Application in AAD.
- Open the following URL to provide admin consent for Tikit, replacing the {tenant-id} with your Tenant ID.
- After consenting, you will be redirected to the consent completed page. At this point you may continue on to Consent on behalf of your organization to approve permissions from the Tikit web app.
