How to Resolve the “Need Admin Approval” Error¶
For users of the Email Sidebar on:
4 min read
The “Need Admin Approval” error may occur when a regular user attempts to get authenticated in RG Email Sidebar with one’s Office 365 credentials in the OAuth window:
Important
There is also an important server-side prerequisite to be clarified with your local Admin or RGES Support team. To be able to authenticate access, your company’s Office 365 server must have a valid MPN ID from Microsoft. If no MPN ID is configured, RG Email Sidebar App might be regarded as unverified and for this reason it will not be listed among access consent Apps in Admin settings. If that is the case, contact RGES Support team with a corresponding request
What causes the error¶
The error is caused by User permission settings in corporate MS Azure Active Directory; specifically, the option “User can consent to apps accessing company data on their behalf” is set to “No”, along with its derivative setting for accessing the groups’ data.
These settings can be found in All services -> Enterprise applications -> User settings in MS Azure Active Directory.
>>> Click to see a screenshot <<<
Problem solutions¶
Method 1¶
Step 1: Grant Admin Consent for RG Email Sidebar¶
1. Log in to MS Azure AD https://portal.azure.com with Admin credentials
2. Go to Enterprise Applications
3. Select All Applications
4. Type “Revenue Grid” in the search field to find the App and select it
>>> Click to see a screenshot <<<
Note
The application may be absent from the list, in case none of the users registered consent for the App previously. If this is the case, see Method 2 from this article
Step 2: Grant Admin consent¶
After the Step 1 is complete, proceed to the following setup actions:
1. Open the Permissions tab and click Grant Admin consent for %CompanyName%
>>> Click to see a screenshot <<<
2. Log in with O365 Admin credentials and click Accept in the Permissions requested dialog that appears
>>> Click to see a screenshot <<<
Note
RG Email Sidebar accesses and handles the end users’ email and CRM data in a most secure and private manner, according to our Privacy and Security guarantees, so approving this data access is safe
3. Refresh the page with Permissions for the application you’ve just registered consent for
4. The list of consent permissions will be displayed in the Admin Consent tab on the Applications page
>>> Click to see the list of permissions <<<
| API Name | Claim value | Permission | Type | Granted through | Granted by |
|---|---|---|---|---|---|
| Microsoft Graph | |||||
| Microsoft Graph | profile | View users’ basic profile | Delegated | Admin consent | An administrator |
| Microsoft Graph | View users’ email address | Delegated | Admin consent | An administrator | |
| Microsoft Graph | Calendars.ReadWrite | Have full access to user calendars | Delegated | Admin consent | An administrator |
| Microsoft Graph | Mail.ReadWrite | Read and write access to user mail | Delegated | Admin consent | An administrator |
| Microsoft Graph | User.ReadEtasic.All | Read all users’ basic profiles | Delegated | Admin consent | An administrator |
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated | Admin consent | An administrator |
| Microsoft Graph | MailboxSettings.ReadWrite | Read and write user mailbox settings | Delegated | Admin consent | An administrator |
| Microsoft Graph | offline access | Maintain access to data you have given it access to | Delegated | Admin consent | An administrator |
| Office 365 Exchange Online | |||||
| Office 365 Exchange Online | EWS.AccessAsUser.All | Access mailboxes as the signed-in user via Exchange Web Services | Delegated | Admin consent | An administrator |
>>> Click to see a screenshot <<<
After that, individual users should open RG Email Sidebar, click the ☰ (Menu) button in its upper left corner and select Sync settings or Set up sync
>>> Click to see a screenshot <<<
The final setup action required from the end users is to grant access to their mailbox data when prompted in the O365 OAuth dialog. As soon as it is granted, they can start using all RG Email Sidebar functions.
Method 2¶
There is also another way to resolve the issue: the local Office 365 Admin can register consent for the App on the initial logon. This method requires the O365 Admin to be provisioned as a RG Email Sidebar user.
Setup actions to be performed by the Admin:
1. Log in to RG Email Sidebar with Salesforce credentials registered for the Admin’s account
2. Press on the ☰ (Menu) button in the upper left corner of the Sidebar
3. Select Set up sync in the menu
>>> Click to see a screenshot <<<
4. Next, Log in with O365 Admin credentials in the O365 OAuth dialog that appears
5. In the following “Permissions Requested” dialog window: select the checkbox Consent on behalf of your organization and click Accept
>>> Click to see a screenshot <<<
Authorization is successful, a “Signed in successfully” notification will appear. Now the consent to use the App has been granted for the whole Org and all end users in it are allowed to perform O365 data access authorization for RG Email Sidebar.
An optional extra Step
In case the O365 Admin does not intend to use the App, the corresponding user can be removed from RG Email Sidebar via RGES Admin panel. To do that:
1. Log into RG Amin UI with admin credentials
2. Click the Gear (Settings) icon in the upper right corner of the page opened
3. Select Force Delete
>>> Click to see a screenshot <<<
After that check that O365 Admin user’s email address was removed from RG Email Sidebar users list.
Method 3¶
Another option is to allow the end users to register consent for Apps on their own.
Note
If this method is used, the end users will be able to register consent for any third party Apps; for some enterprises such setup might contradict general Office Apps security policies
1. Log in to Azure AD using Admin credentials
2. Go to Enterprise applications -> User settings
3. Switch the setting “User can consent to apps accessing company data on their behalf” to Yes
>>> Click to see a screenshot <<<
Enabling of the setting “User can consent to apps accessing company data for the groups they own” is optional.
Also see the following articles:
RG Email Sidebar mass deployment scenarios
How RG Email Sidebar works with EWS
Microsoft App Consent Experience
We would love to hear from you!