Application Consent when Enterprise Applications are restricted in Office 365

Justin Tung -

Note: Applies to all Hyperfish implementations

Some organizations may choose to control the use of enterprise applications in Office 365 by restricting the ability for users to consent to third-party multi-tenant applications accessing user profile data in Azure Active Directory. 

The default Azure AD configuration allows user consent out-of-the-box, but this can be restricted from Azure Active Directory -> User Settings in the Azure Administration portal. 

If application consent is restricted, users (with the exception of Office 365 Global Administrators) will not be able to sign-in to the Hyperfish Web application. This can be problematic for any user accounts designated to be Hyperfish Administrators or Approvers, and the following error message will appear when attempting to sign-in:

"You can't access this application -- Hyperfish needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it."

Given this configuration, two things must be done to allow users to access the Hyperfish application:

1   Users or groups must be assigned access to the Hyperfish application

  • Navigate to Azure Admin Settings -> Azure Active Directory -> Enterprise Applications -> All Applications -> Hyperfish.
  • Select Users and Groups -> Add User/Group

This article from Microsoft also details the process. 

2   A Global Administrator must give consent on behalf of users

  • Using an administrator account, use this consent link to sign-in to Office 365. 
  • You will be prompted to consent for the read permissions that the Hyperfish application needs
  • After consenting, you should see a sign-in error. This is expected behavior.

After completing these steps, non-admin users should be able to access the Hyperfish web application when signing in to




Have more questions? Submit a request


Please sign in to leave a comment.