How to Resolve the Need Admin Approval Error¶
[admin-level article]
For users of the Email Sidebar on:
The “Need Admin Approval” error may occur when a regular user attempts to get authenticated in Revenue Grid with one’s Office 365 credentials in the OAuth window:
What causes the error¶
The error is caused by User permission settings in corporate Microsoft Entra admin center (previously MS Azure Active Directory); specifically, the option “User can consent to apps accessing company data on their behalf” is set to “No”, along with its derivative setting for accessing the groups’ data.
These settings can be found in All services > Enterprise applications > User settings in Microsoft Entra admin center.
>>> Click to see a screenshot <<<
Recommended problem solution¶
For an admin, the easiest way to address this issue is to grant tenant-wide admin consent to Revenue Grid using the URL for granting tenant-wide admin consent.
1. Copy this link to any text editor:
https://login.microsoftonline.com/{organization}/v2.0/adminconsent?client_id=336be6bf-83eb-47ad-93ef-32250063f88d&redirect_uri=https://portal.azure.com/TokenAuthorize&scope=https://graph.microsoft.com/Calendars.ReadWrite%20https://graph.microsoft.com/Contacts.ReadWrite%20https://graph.microsoft.com/email%20https://graph.microsoft.com/Mail.Read%20https://graph.microsoft.com/Mail.ReadWrite%20https://graph.microsoft.com/MailboxSettings.ReadWrite%20https://graph.microsoft.com/offline_access%20https://graph.microsoft.com/profile%20https://graph.microsoft.com/User.Read%20https://graph.microsoft.com/User.ReadBasic.All%20https://outlook.office365.com/EWS.AccessAsUser.All%20https://graph.microsoft.com/Mail.Send%20https://graph.microsoft.com/Tasks.ReadWrite
2. Substitute {organization} with your Microsoft 365 tenant ID.
To retrieve your Microsoft 365 tenant ID:
• Log in to Microsoft Entra admin center
• Go to Identity > Overview
• Under Basic information, find Tenant ID and copy it
Important
Customers on dedicated single-tenant instances must also amend the client ID in the URL provided above. In such cases, it must be substituted with the ClientID value provided by the Revenue Grid CSM team.
3. Open the amended URL in the preferred web browser
4. Log in using the Microsoft admin account with permissions listed in this Microsoft article. Admins with roles that have lower level of permissions won’t be able to grant consent.
5. Review the required permissions
Note
RG Email Sidebar accesses and handles the end users’ email and CRM data in a most secure and private manner, according to our Privacy and Security guarantees, so approving this data access is safe
>>> Click to see the list of permissions <<<
|
API Name |
Claim value |
Permission |
Type |
Granted through |
Granted by |
|
Microsoft Graph |
|||||
|
Microsoft Graph |
profile |
View users' basic profile |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
offline_access |
Maintain access to data you have given it access to |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
MailboxSettings.ReadWrite |
Read and write user mailbox settings |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
User.Read |
Sign in and read user profile |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
User.ReadBasic.All |
Read all users' basic profiles |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
Mail.ReadWrite |
Read and write access to user mail |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
Calendars.ReadWrite |
Have full access to user calendars |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
|
View users' email address |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
Tasks.ReadWrite |
Create, read, update, and delete user’s tasks and task lists |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
Contacts.ReadWrite |
Have full access to user contacts |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
Mail.Send |
Send mail as a user |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
Mail.Read |
Read user mail |
Delegated |
Admin consent |
An administrator |
|
Microsoft Graph |
Mail.ReadWrite |
Read and write mail in all mailboxes |
Application |
Admin consent |
An administrator |
|
Microsoft Graph |
Contacts.ReadWrite |
Read and write contacts in all mailboxes |
Application |
Admin consent |
An administrator |
|
Microsoft Graph |
User.Read.All |
Read all users' full profiles |
Application |
Admin consent |
An administrator |
|
Microsoft Graph |
Calendars.ReadWrite |
Read and write calendars in all mailboxes |
Application |
Admin consent |
An administrator |
|
Microsoft Graph |
Mail.Send |
Send mail as any user |
Application |
Admin consent |
An administrator |
|
Microsoft Graph |
MailboxSettings.ReadWrite |
Read and write all user mailbox settings |
Application |
Admin consent |
An administrator |
|
Office 365 Exchange Online |
|||||
|
Office 365 Exchange Online |
EWS.AccessAsUser.All |
Access mailboxes as the signed-in user via Exchange Web Services |
Delegated |
Admin consent |
An administrator |
6. Click Accept to grant the necessary permissions to Revenue Grid on behalf of all users of your Org
7. After completing these steps, the Revenue Grid app will be added to your tenant’s Enterprise apps so that you can further manage it in your Microsoft Entra admin center.
Also, by clicking on the application name, you can review list of consent permissions on the Admin Consent tab.
>>> Click to see a screenshot <<<
Alternative problem solutions¶
There are three alternative methods for resolving this issue:
- Method 1 is for cases when Revenue Grid is already on the list of Enterprise applications in the Microsoft Entra admin center.
- Method 2 is for cases when Revenue Grid is not on the list of Enterprise applications in the Microsoft Entra admin center.
- Method 3 is useful if you want to allow the end users to provide consent for Apps on their own.
Method 1¶
1. Log in to Microsoft Entra admin center (previously MS Azure AD) with Admin credentials
2. Go to Enterprise Applications
3. Select All Applications
4. Type “Revenue Grid” in the search field to find the App and select it
Important
The application may be absent from the list, in case none of the users registered consent for the App previously. If this is the case, see Method 2 from this article
>>> Click to see a screenshot <<<
5. Open the Permissions tab and click Grant Admin consent for Revenue Grid
>>> Click to see a screenshot <<<
6. Log in with O365 Admin credentials and click Accept in the Permissions requested dialog that appears
>>> Click to see a screenshot <<<
7. Refresh the page with Permissions for the application you’ve just registered consent for
8. The list of consent permissions will be displayed in the Admin Consent tab on the Applications page
>>> Click to see a screenshot <<<
After that, individual users should open RG Email Sidebar, click the ☰ (Menu) button in its upper left corner and select Sync settings or Set up sync
>>> Click to see a screenshot <<<
The final setup action required from the end users is to grant access to their mailbox data when prompted in the O365 OAuth dialog. As soon as it is granted, they can start using all RG Email Sidebar functions.
Method 2¶
There is also another way to resolve the issue: the local Office 365 Admin can register consent for the App on the initial logon. This method requires the O365 Admin to be provisioned as a RG user.
Setup actions to be performed by the Admin:
1. Log in to RG Email Sidebar with Salesforce credentials registered for the Admin’s account
2. Press on the ☰ (Menu) button in the upper left corner of the Sidebar
3. Select Set up sync in the menu
>>> Click to see a screenshot <<<
4. Next, Log in with O365 Admin credentials in the O365 OAuth dialog that appears
5. In the following “Permissions Requested” dialog window: select the checkbox Consent on behalf of your organization and click Accept
>>> Click to see a screenshot <<<
Authorization is successful, a “Signed in successfully” notification will appear. Now the consent to use the App has been granted for the whole Org and all end users in it are allowed to perform O365 data access authorization for RG Email Sidebar.
An optional extra Step
In case the O365 Admin does not intend to use the App, the corresponding user can be removed via RG Admin panel. To do that:
1. Log into RG Amin UI with admin credentials
2. Click the Gear (Settings) icon in the upper right corner of the page opened
3. Select **Force Delete **
>>> Click to see a screenshot <<<
After that check that O365 Admin user’s email address was removed from RG users list.
Method 3¶
Another option is to allow the end users to register consent for Apps on their own.
Note
If this method is used, the end users will be able to register consent for any third party Apps; for some enterprises such setup might contradict general Office Apps security policies
1. Log in to Azure AD using Admin credentials
2. Go to Enterprise applications > User settings
3. Switch the setting “User can consent to apps accessing company data on their behalf” to **Yes **
>>> Click to see a screenshot <<<
Enabling of the setting “User can consent to apps accessing company data for the groups they own” is optional.
Also see the following articles:
RG Email Sidebar mass deployment scenarios
How RG Email Sidebar works with EWS
Microsoft App Consent Experience
We would love to hear from you!