Skip to content

How to Resolve the Need Admin Approval Error

[admin-level article]

For users of the Email Sidebar on:

 

The “Need Admin Approval” error may occur when a regular user attempts to get authenticated in Revenue Grid with one’s Office 365 credentials in the OAuth window:

 

What causes the error

The error is caused by User permission settings in corporate Microsoft Entra admin center (previously MS Azure Active Directory); specifically, the option “User can consent to apps accessing company data on their behalf” is set to “No”, along with its derivative setting for accessing the groups’ data.

These settings can be found in All services > Enterprise applications > User settings in Microsoft Entra admin center.

>>> Click to see a screenshot <<<

 


For an admin, the easiest way to address this issue is to grant tenant-wide admin consent to Revenue Grid using the URL for granting tenant-wide admin consent.

1. Copy this link to any text editor:

https://login.microsoftonline.com/{organization}/v2.0/adminconsent?client_id=336be6bf-83eb-47ad-93ef-32250063f88d&redirect_uri=https://portal.azure.com/TokenAuthorize&scope=https://graph.microsoft.com/Calendars.ReadWrite%20https://graph.microsoft.com/Contacts.ReadWrite%20https://graph.microsoft.com/email%20https://graph.microsoft.com/Mail.Read%20https://graph.microsoft.com/Mail.ReadWrite%20https://graph.microsoft.com/MailboxSettings.ReadWrite%20https://graph.microsoft.com/offline_access%20https://graph.microsoft.com/profile%20https://graph.microsoft.com/User.Read%20https://graph.microsoft.com/User.ReadBasic.All%20https://outlook.office365.com/EWS.AccessAsUser.All%20https://graph.microsoft.com/Mail.Send%20https://graph.microsoft.com/Tasks.ReadWrite


2. Substitute {organization} with your Microsoft 365 tenant ID.

To retrieve your Microsoft 365 tenant ID:

• Log in to Microsoft Entra admin center
• Go to Identity > Overview
• Under Basic information, find Tenant ID and copy it

Important

Customers on dedicated single-tenant instances must also amend the client ID in the URL provided above. In such cases, it must be substituted with the ClientID value provided by the Revenue Grid CSM team.


3. Open the amended URL in the preferred web browser

4. Log in using the Microsoft admin account with permissions listed in this Microsoft article. Admins with roles that have lower level of permissions won’t be able to grant consent.

5. Review the required permissions

Note

RG Email Sidebar accesses and handles the end users’ email and CRM data in a most secure and private manner, according to our Privacy and Security guarantees, so approving this data access is safe

>>> Click to see the list of permissions <<<

API Name

Claim value

Permission

Type

Granted through

Granted by

Microsoft Graph

Microsoft Graph

profile

View users' basic profile

Delegated

Admin consent

An administrator

Microsoft Graph

offline_access

Maintain access to data you have given it access to

Delegated

Admin consent

An administrator

Microsoft Graph

MailboxSettings.ReadWrite

Read and write user mailbox settings

Delegated

Admin consent

An administrator

Microsoft Graph

User.Read

Sign in and read user profile

Delegated

Admin consent

An administrator

Microsoft Graph

User.ReadBasic.All

Read all users' basic profiles

Delegated

Admin consent

An administrator

Microsoft Graph

Mail.ReadWrite

Read and write access to user mail

Delegated

Admin consent

An administrator

Microsoft Graph

Calendars.ReadWrite

Have full access to user calendars

Delegated

Admin consent

An administrator

Microsoft Graph

email

View users' email address

Delegated

Admin consent

An administrator

Microsoft Graph

Tasks.ReadWrite

Create, read, update, and delete user’s tasks and task lists

Delegated

Admin consent

An administrator

Microsoft Graph

Contacts.ReadWrite

Have full access to user contacts

Delegated

Admin consent

An administrator

Microsoft Graph

Mail.Send

Send mail as a user

Delegated

Admin consent

An administrator

Microsoft Graph

Mail.Read

Read user mail

Delegated

Admin consent

An administrator

Microsoft Graph

Mail.ReadWrite

Read and write mail in all mailboxes

Application

Admin consent

An administrator

Microsoft Graph

Contacts.ReadWrite

Read and write contacts in all mailboxes

Application

Admin consent

An administrator

Microsoft Graph

User.Read.All

Read all users' full profiles

Application

Admin consent

An administrator

Microsoft Graph

Calendars.ReadWrite

Read and write calendars in all mailboxes

Application

Admin consent

An administrator

Microsoft Graph

Mail.Send

Send mail as any user

Application

Admin consent

An administrator

Microsoft Graph

MailboxSettings.ReadWrite

Read and write all user mailbox settings

Application

Admin consent

An administrator

Office 365 Exchange Online

Office 365 Exchange Online

EWS.AccessAsUser.All

Access mailboxes as the signed-in user via Exchange Web Services

Delegated

Admin consent

An administrator


6. Click Accept to grant the necessary permissions to Revenue Grid on behalf of all users of your Org

7. After completing these steps, the Revenue Grid app will be added to your tenant’s Enterprise apps so that you can further manage it in your Microsoft Entra admin center.


Also, by clicking on the application name, you can review list of consent permissions on the Admin Consent tab.

>>> Click to see a screenshot <<<


 


Alternative problem solutions

There are three alternative methods for resolving this issue:

  • Method 1 is for cases when Revenue Grid is already on the list of Enterprise applications in the Microsoft Entra admin center.
  • Method 2 is for cases when Revenue Grid is not on the list of Enterprise applications in the Microsoft Entra admin center.
  • Method 3 is useful if you want to allow the end users to provide consent for Apps on their own.



Method 1

1. Log in to Microsoft Entra admin center (previously MS Azure AD) with Admin credentials

2. Go to Enterprise Applications

3. Select All Applications

4. Type “Revenue Grid” in the search field to find the App and select it

Important

The application may be absent from the list, in case none of the users registered consent for the App previously. If this is the case, see Method 2 from this article

 

>>> Click to see a screenshot <<<

 

5. Open the Permissions tab and click Grant Admin consent for Revenue Grid

>>> Click to see a screenshot <<<

 

6. Log in with O365 Admin credentials and click Accept in the Permissions requested dialog that appears

>>> Click to see a screenshot <<<

 

7. Refresh the page with Permissions for the application you’ve just registered consent for

8. The list of consent permissions will be displayed in the Admin Consent tab on the Applications page

 

>>> Click to see a screenshot <<<

 

After that, individual users should open RG Email Sidebar, click the (Menu) button in its upper left corner and select Sync settings or Set up sync

>>> Click to see a screenshot <<<

 

The final setup action required from the end users is to grant access to their mailbox data when prompted in the O365 OAuth dialog. As soon as it is granted, they can start using all RG Email Sidebar functions.

 


 

Method 2

There is also another way to resolve the issue: the local Office 365 Admin can register consent for the App on the initial logon. This method requires the O365 Admin to be provisioned as a RG user.

Setup actions to be performed by the Admin:

1. Log in to RG Email Sidebar with Salesforce credentials registered for the Admin’s account
2. Press on the (Menu) button in the upper left corner of the Sidebar
3. Select Set up sync in the menu

>>> Click to see a screenshot <<<

 

4. Next, Log in with O365 Admin credentials in the O365 OAuth dialog that appears

5. In the following “Permissions Requested” dialog window: select the checkbox Consent on behalf of your organization and click Accept

>>> Click to see a screenshot <<<

 

Authorization is successful, a “Signed in successfully” notification will appear. Now the consent to use the App has been granted for the whole Org and all end users in it are allowed to perform O365 data access authorization for RG Email Sidebar.

 

An optional extra Step

In case the O365 Admin does not intend to use the App, the corresponding user can be removed via RG Admin panel. To do that:
1. Log into RG Amin UI with admin credentials
2. Click the Gear (Settings) icon in the upper right corner of the page opened
3. Select **Force Delete **

>>> Click to see a screenshot <<<

 

After that check that O365 Admin user’s email address was removed from RG users list.

 


 

Method 3

Another option is to allow the end users to register consent for Apps on their own.

Note

If this method is used, the end users will be able to register consent for any third party Apps; for some enterprises such setup might contradict general Office Apps security policies

 

1. Log in to Azure AD using Admin credentials
2. Go to Enterprise applications > User settings
3. Switch the setting “User can consent to apps accessing company data on their behalf” to **Yes **

>>> Click to see a screenshot <<<

 

Enabling of the setting “User can consent to apps accessing company data for the groups they own” is optional.

 


 

Also see the following articles:

RG Email Sidebar mass deployment scenarios

How RG Email Sidebar works with EWS

Microsoft Consent framework

Microsoft App Consent Experience