Why am I Receiving a "Need admin approval" Error Message in Ticketing & Messaging

This article outlines issues you might be experiencing while reauthorizing your Office 365 and Shared Mailbox emails with Comm100 Ticketing & Messaging.

Problem

When integrating or reauthorizing the Office 365 and Shared Mailbox type email accounts with Comm100 Ticketing & Messaging, I receive a "Need admin approval" error message.

Cause

The potential cause could be incorrect user/admin consent settings or permissions in the Azure portal.

Solution

You can review user/admin consent settings in the Azure portal based on the correct user/admin consent settings and permissions. It includes the following scenarios:

Restricted resource access to allow app integration (MS Recommended)
No user consent; requires admin consent for apps.
No user consent; requires admin consent for apps, but admin consent request disabled.

Restricted Resource Access to Allow App Integration (MS Recommended)

On the All services > Enterprise applications > Consent and permissions > User consent settings page, if you have selected the Allow user consent for apps from verified publishers, for selected permission (Recommended) option.

On the All services > Enterprise applications > Consent and permissions > Permission classifications page, create permissions set to allow limited permissions for user consent.

API used	Permissions	Description
Microsoft Graph	Mail.Read	Read user mail.
Microsoft Graph	Mail.Read.Shared	Read user and shared mail.
Microsoft Graph	Mail.ReadBasic	Read user basic mail.
Microsoft Graph	Mail.ReadBasic.Shared	Read user and shared basic mail.
Microsoft Graph	Mail.ReadWrite	Read and write access to user mail.
Microsoft Graph	Mail.ReadWrite.Shared	Read and write user and shared mail.
Microsoft Graph	Mail.Send	Send mail as a user.
Microsoft Graph	Mail.Send.Shared	Send mail on behalf of others.
Microsoft Graph	profile	View users' basic profile.
Microsoft Graph	email	View users' email address.
Microsoft Graph	offline_access	Maintain access to data you have given it access to.

Follow the app integration flow, which prompts the user for consent and allows them to integrate the app with the permissions.

No User Consent; Requires Admin Consent for Apps

On the All services > Enterprise applications > Consent and permissions > User consent settings page, an administrator will be required for all apps if you have selected the Do not allow user consent option.

On the All services > Enterprise applications > Consent and permissions > Admin consent settings page, turn the Users can request admin consent to apps they are unable to consent to toggle key to Yes.

On the Home > Enterprise applicationss > Admin Consent request page, the administrator can see and approve the pending request.

Restart the integration flow after you receive the approval. Now the app will not prompt for consent and allow integration.

No User Consent; Requires Admin Consent for Apps, but Admin Consent Request is Disabled

On the All services > Enterprise applications > Consent and permissions > User consent settings page, if you have selected the Do not allow user consent option, then an admin consent for apps will be required for all apps but is set as disabled.

Here, when you try to integrate the app, an option displays to allow the admin to log in.

The admin logs in, provides consent on behalf of the organization, and marks acceptance of the consent.

After giving consent on behalf of the organization, subsequent integrations will be without any consent prompt or approval.

Helpful?

0% of people found this helpful