Microsoft Entra ID consent experience for Intune Mobile Microsoft Entra ID consent flow is the process of a user granting authorization to an application to access protected resources on their behalf. An admin or user can be asked for consent to allow access to their organization/individual data. With the upcoming 17.5.0 mobile release, ServiceNow iOS Intune mobile apps will require user permission for DeviceManagementManagedApps.ReadWrite. This permission is crucial as it allows the ServiceNow Intune Tenant to establish communication with their tenant, facilitating app login processes. Compliance with this requirement is mandated by Microsoft. For additional details, refer to: Microsoft Entra documentation on consent and permissions. To grant admin consent, a user must hold a Global Administrator role. The admin can choose to grant consent on behalf of the entire organization or allow individual users to consent independently. There are three methods to grant admin consent: 1. Pre-generated consent link: This link was provided to identified affected customers prior to 17.5 rollout. An intune admin with appropriate privileges (at least a Cloud Application Administrator) needs to open this link and grant admin consent. https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=8d240658-9a3e-47ee-b015-3736585b0daa&scope=https://wip.mam.manage.microsoft.us//DeviceManagementManagedApps.ReadWrite 2. Consent via the iOS app: Administrators with access to a 17.5.0+ Intune build can complete the consent flow when they log into Intune for the first time within the app. 3. Microsoft Azure portal: This option is available only if other permissions have already been granted or if the same permission was previously granted and then revoked. Navigate to the "Enterprise Applications" from the Azure portal home pageLocate the ServiceNow app registration, go to the "Permissions" section, and click on the blue "grant admin consent" button. FAQ 1. Why am I getting an error saying "address is invalid" when using a consent link? This error typically occurs when the consent link is used from a desktop browser because the link contains a redirect URI intended for mobile devices. While this message appears, the consent flow will still proceed successfully on desktop browsers. 2. Why am I getting an error saying "admin approval is needed"? This message appears if an admin has disabled individual user consent. In such cases, regular users must await administrative approval before they can use the app. 3. Why I am stuck on loading spinner after consent to the link?This is a Microsoft UX issue, the consent page is designed to work on top of the app registration permission page and it will only dismiss after making a call back to the permission page. In this case, since we are using the consent window alone, it will not be able to dismiss since the call back to permissions page cannot be completed. But the consent flow will still proceed successfully on desktop browsers. 4. Why I am getting a -50000 error on first Intune login attempt? This issue is a known problem with the Intune SDK, specifically related to MSAL data decryption from the Authenticator app. The Microsoft team is actively working on a fix. In the meantime, users should be able to log in to Intune by simply retrying. 5. How do I confirm if the permission has been granted? In Enterprise applications, locate the ServiceNow app registration, go to the "Permissions" section, admin should see "DeviceManagementManagedApps.ReadWrite." shown granted by admin.