Delay between admin consent and ability to perform API requests

%3CLINGO-SUB%20id%3D%22lingo-sub-2282182%22%20slang%3D%22en-US%22%3EDelay%20between%20admin%20consent%20and%20ability%20to%20perform%20API%20requests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282182%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20been%20experiencing%20long%20delays%20(up%20to%20an%20hour)%20between%20the%20moment%20the%20%22admin%20consent%22%20approval%20of%20our%20app%20until%20we%20can%20successfully%20perform%20Graph%20API%20calls%20for%20the%20tenant.%3CBR%20%2F%3EAs%20part%20of%20our%20on-boarding%20flow%2C%20after%20the%20user%20provides%20admin%20consent%20to%20our%20application%20we%20start%20performing%20various%20actions%20via%20the%20Graph%20API.%20Lately%20we%20have%20been%20receiving%20an%20increasing%20number%20of%20API%20call%20failures%20with%20%22permission%20denied%22%20response.%3CBR%20%2F%3EIt%20can%20take%20any%20time%20between%20a%20few%20seconds%20to%20an%20hour%20for%20the%20permissions%20granted%20in%20the%20admin%20consent%20form%20to%20be%20recognized%20by%20the%20Graph%20API.%3CBR%20%2F%3EThis%20is%20causing%20substantial%20friction%20in%20our%20on-boarding%20process.%3CBR%20%2F%3EHas%20anyone%20else%20encountered%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2282182%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%20consent%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermisions%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2287574%22%20slang%3D%22en-US%22%3ERe%3A%20Delay%20between%20admin%20consent%20and%20ability%20to%20perform%20API%20requests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2287574%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3Ewe%20are%20issuing%20a%20new%20token.%20After%20the%20consent%20is%20given%2C%20the%20tenant%20ID%20is%20sent%20to%20a%20backend%20process%20that%20issues%20a%20new%20token%20via%20MSAL%20and%20queries%20the%20Graph%20API.%20Scopes%20requested%20for%20the%20token%20are%20similar%20to%20those%20requested%20by%20the%20application%20and%20approved%20by%20the%20admin.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282228%22%20slang%3D%22en-US%22%3ERe%3A%20Delay%20between%20admin%20consent%20and%20ability%20to%20perform%20API%20requests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282228%22%20slang%3D%22en-US%22%3EDid%20you%20renew%20your%20token%20after%20granting%20consent%3F%20The%20vast%20majority%20of%20applications%20will%20rely%20on%20the%20roles%2Fscopes%20listed%20within%20the%20token%2C%20and%20those%20will%20not%20be%20updated%20until%20you%20get%20a%20new%20one.%3C%2FLINGO-BODY%3E
New Contributor

We have been experiencing long delays (up to an hour) between the moment the "admin consent" approval of our app until we can successfully perform Graph API calls for the tenant.
As part of our on-boarding flow, after the user provides admin consent to our application we start performing various actions via the Graph API. Lately we have been receiving an increasing number of API call failures with "permission denied" response.
It can take any time between a few seconds to an hour for the permissions granted in the admin consent form to be recognized by the Graph API.
This is causing substantial friction in our on-boarding process.
Has anyone else encountered this?

2 Replies
Did you renew your token after granting consent? The vast majority of applications will rely on the roles/scopes listed within the token, and those will not be updated until you get a new one.

@Vasil Michevwe are issuing a new token. After the consent is given, the tenant ID is sent to a backend process that issues a new token via MSAL and queries the Graph API. Scopes requested for the token are similar to those requested by the application and approved by the admin.