Skip to content

How to resolve the “Need admin approval” error after enabling Nested App Authentication for EWS users

2 min read · For Email Sidebar users on:

Symptoms

The behavior varies depending on the Outlook version. Users may see the Need admin approval pop-up followed by a red error message: 

Sorry, an error occurred. Please restart the Sidebar.

Additionally, an orange warning may appear: 

Can’t identify your Office 365 account.

In some cases, only the red error message appears, accompanied by a correlation ID (which is not searchable).

Observed behavior

Note

In New Outlook, the Need admin approval pop-up does not appear. Instead, the Sidebar is immediately blocked.

Additionally, in Outlook on the web, the browser may block the pop-up by default. Users must select Always allow for it to appear.

Causes

Due to Microsoft’s deprecation of legacy tokens, migrating to Nested App Authentication is required to keep add-ins up and running. The Revenue Grid application lacks the necessary permissions after enabling Nested App Authentication.

While users with Microsoft Graph access have either granted consent or had permissions assigned by an admin, users with an Exchange Web Services (EWS) connection do not have these permissions. As a result, they encounter the Need admin approval pop-up, and the Sidebar remains blocked until permissions are granted.

Additionally, this error indicates that Do not allow user consent is enabled in the User consent settings of the corporate Microsoft Entra admin center.

To check this setting, navigate to: Applications > Enterprise applications > Consent and permissions.

Resolution

There are multiple ways to make sure the necessary permissions are granted depending on the Microsoft Entra settings.

If a Microsoft 365 admin has the Sidebar installed

The admin can register consent during login by following these steps:

  1. Log in to Outlook on the web: Outlook
  2. Open the Sidebar and wait for the Microsoft 365 OAuth dialog to appear.

  3. In the Permissions requested dialog, select Consent on behalf of your organization and click Accept.

If authorization is successful, a Signed in successfully notification appears.

Once consent is granted, it applies to the entire organization, and no further actions are required from end users.

If a Microsoft 365 admin does not have the Sidebar installed

  1. Copy the following link to a text editor:

    https://login.microsoftonline.com/{organization}/v2.0/adminconsent?client_id=336be6bf-83eb-47ad-93ef-32250063f88d&redirect_uri=https://portal.azure.com/TokenAuthorize&scope=https://graph.microsoft.com/Calendars.ReadWrite https://graph.microsoft.com/email https://graph.microsoft.com/Mail.ReadWrite https://graph.microsoft.com/offline_access https://graph.microsoft.com/profile https://graph.microsoft.com/User.Read https://graph.microsoft.com/User.ReadBasic.All https://graph.microsoft.com/Calendars.ReadWrite.Shared https://graph.microsoft.com/Mail.ReadWrite.Shared

  2. Replace {organization} with your Microsoft 365 tenant ID:

    1. Log in to the Microsoft Entra admin center.
    2. Go to Identity > Overview.

    3. Under Basic information, locate Tenant ID and copy it.

  3. Open the modified URL in a browser.

  4. Log in using a Microsoft admin account with the necessary permissions listed in this Microsoft article.
  5. Review the required permissions.

  6. Click Accept to grant the necessary permissions to Revenue Grid on behalf of all users:

  1. Log in to Microsoft Entra admin center with admin credentials.
  2. Go to Enterprise applications.
  3. Select All applications.

  4. Search for Revenue Inbox and select it.

    Note

    If the application is missing, it means no users have registered consent for the app. In that case, follow Method 1.

  5. Open the Permissions tab and click Grant admin consent for [your tenant name].

  6. Log in with Microsoft 365 admin credentials and click Accept in the Permissions requested dialog.

  7. Refresh the page. The granted permissions will now appear in the Admin consent tab on the Permissions page.

Note

This method allows users to consent to any third-party applications, which may not align with enterprise security policies.

  1. Log in to Microsoft Entra admin center with admin credentials.
  2. Navigate to Enterprise applications > Consent and permissions.

  3. Select Allow user consent for apps.