How to Resolve the “Need Admin Approval” Error¶
The “Need Admin Approval” error may occur when a regular user attempts to get authenticated in LinkPoint Connect(ME) with one’s Office 365 credentials in the OAuth window:
Important
There is also an important server-side prerequisite to be clarified with your local Admin or LPC Support team. To be able to authenticate access, your company’s Office 365 server must have a valid MPN ID from Microsoft. If no MPN ID is configured, LinkPoint Connect(ME) App might be regarded as unverified and for this reason it will not be listed among access consent Apps in Admin settings. If that is the case, contact LPC Support team with a corresponding request
What causes the error¶
The error is caused by User permission settings in corporate MS Azure Active Directory; specifically, the option “User can consent to apps accessing company data on their behalf” is set to “No”, along with its derivative setting for accessing the groups’ data.
These settings can be found in All services -> Enterprise applications -> User settings in MS Azure Active Directory.
>>> Click to see a screenshot <<<
Problem solutions¶
Method 1¶
Step 1: Grant Admin Consent for LinkPoint Connect(ME)¶
1. Log in to MS Azure AD https://portal.azure.com with Admin credentials
2. Go to Enterprise Applications
3. Select All Applications
4. Type “Connect(ME)” in the search field to find the App and select it
>>> Click to see a screenshot <<<
Note
The application may be absent from the list, in case none of the users registered consent for the App previously. If this is the case, see Method 2 from this article
Step 2: Grant Admin consent¶
After the Step 1 is complete, proceed to the following setup actions:
1. Open the Permissions tab and click Grant Admin consent for %CompanyName%
>>> Click to see a screenshot <<<
2. Log in with O365 Admin credentials and click Accept in the Permissions requested dialog that appears
>>> Click to see a screenshot <<<
Note
LinkPoint Connect(ME) accesses and handles the end users’ email and CRM data in a most secure and private manner, according to our Privacy and Security guarantees, so approving this data access is safe.
3. Refresh the page with Permissions for the application you’ve just registered consent for
4. The list of consent permissions will be displayed in the Admin Consent tab on the Applications page
>>> Click to see a screenshot <<<
After that, individual users should open LPC Sidebar, click the ☰ (Menu) button in its upper left corner and select Sync settings or Set up sync
>>> Click to see a screenshot <<<
The final setup action required from the end users is to grant access to their mailbox data when prompted in the O365 OAuth dialog. As soon as it is granted, they can start using all LinkPoint Connect(ME) functions.
Method 2¶
There is also another way to resolve the issue: the local Office 365 Admin can register consent for the App on the initial logon. This method requires the O365 Admin to be provisioned as a LinkPoint Connect(ME) user.
Setup actions to be performed by the Admin:
1. Log in to LinkPoint Connect(ME) Sidebar with Salesforce credentials registered for the Admin’s account
2. Press on the ☰ (Menu) button in the upper left corner of the Sidebar
3. Select Set up sync in the menu
>>> Click to see a screenshot <<<
4. Next, Log in with O365 Admin credentials in the O365 OAuth dialog that appears
5. In the following “Permissions Requested” dialog window: select the checkbox Consent on behalf of your organization and click Accept
>>> Click to see a screenshot <<<
Authorization is successful, a “Signed in successfully” notification will appear. Now the consent to use the App has been granted for the whole Org and all end users in it are allowed to perform O365 data access authorization for LinkPoint Connect(ME).
An optional extra Step
In case the O365 Admin does not intend to use the App, the corresponding user can be removed from LinkPoint Connect(ME) via LPC Admin panel. To do that:
1. Log into RI Amin UI with admin credentials
2. Click the Gear (Settings) icon in the upper right corner of the page opened
3. Select Force Delete
>>> Click to see a screenshot <<<
After that check that O365 Admin user’s email address was removed from LinkPoint Connect(ME) users list.
Method 3¶
Another option is to allow the end users to register consent for Apps on their own.
Note
If this method is used, the end users will be able to register consent for any third party Apps; for some enterprises such setup might contradict general Office Apps security policies
1. Log in to Azure AD using Admin credentials
2. Go to Enterprise applications -> User settings
3. Switch the setting “User can consent to apps accessing company data on their behalf” to Yes
>>> Click to see a screenshot <<<
Enabling of the setting “User can consent to apps accessing company data for the groups they own” is optional.
Also see the following articles:
LinkPoint Connect(ME) mass deployment scenarios
How LinkPoint Connect(ME) works with EWS
Microsoft App Consent Experience
We would love to hear from you