How to fix the ‘Need admin approval’ error while trying to sign in to the signature management app
Problem:
While trying to sign in to the signature management app, a user receives the following error:
Need admin approval. CodeTwo Email Signatures for Office 365 User Logon needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
Solution:
First of all, make sure that this user has been added to the signature management app users list in CodeTwo Admin Panel (learn more). If yes, and the problem persists, this might mean that application options in your Microsoft 365 organization are preventing users from using the CodeTwo application. You can access these options to resolve this problem in three different ways, by using either the Microsoft Entra admin center or the Microsoft 365 admin center. The changes you will be making are in fact restoring the default Microsoft 365 settings.
- Granting consent on behalf of all users in the tenant
- Enabling app registration by users in the Microsoft Entra admin center
- Allowing users to choose if an app can access their information
Tip
You can also configure the admin consent workflow in the Azure portal as discussed in this Microsoft article. This will enable an Azure AD workflow designed specifically for users to request admin approval for an application they are not authorized to consent to on their own, and for the admin to grant such approval. Optionally, you can allow users to grant this consent on behalf of themselves, as described below in this article.
Granting consent on behalf of all users
As an administrator, you can grant an app the permissions to your organization and its data centrally on behalf of your users. To do so, proceed as follows:
- Sign in to the Microsoft Entra admin center.
- In the menu on the left, go to Azure Active Directory (or Identity) > Applications > Enterprise applications (Fig. 1.).
Fig. 1. Accessing the enterprise applications settings.
- Search for the signature management app on the list by typing e.g. manage in the search box. Once found, click CodeTwo Email Signatures for Office 365 - Manage Signatures App to access its settings (Fig. 2.).
Fig. 2. Opening signature management app settings in the Microsoft Entra admin center.
- Choose Permissions from the menu on the left and click the Grant admin consent for <your tenant name> button (Fig. 3.).
Fig. 3. Launching the pop-up where you can grant admin consent on behalf of your organization.
- The pop-up to grant organization-wide consent will open. Choose your admin account and accept the permissions requested by the app (Fig. 4.).
Fig. 4. Granting the requested permissions on behalf of all the users in your organization.
From now on, no user will be prompted to consent to the permissions when using the application.
Enabling app registration by users in the Microsoft Entra admin center
Use the Microsoft Entra admin center to allow users to register applications. To do this:
- Sign in to the Microsoft Entra admin center.
- In the menu on the left, go to Azure Active Directory (or Identity) > Users > User settings.
- Enable the Users can register applications option by setting the toggle button to Yes and click Save to apply your changes (Fig. 5.).
Fig. 5. Allowing users to register applications in Azure AD.
If the solution above resolved the problem and the user is able to sign in to the signature management app at app.codetwo.com, you can return to your previous settings.
Allowing users to choose if an app can access organization's data
Use the Microsoft 365 admin center to allow users to let third-party apps access their information. Follow the steps below to do so:
- Sign in to the Microsoft 365 admin center.
- In the left menu, go to Settings > Org settings. Next, on the Services tab, locate the User consent to apps item and click it (Fig. 6.).
Info
If you can’t see Settings in the left-hand menu, click Show all.
Fig. 6. Accessing the setting to let users provide consent to third party apps.
- In the pane that opens, select the checkbox and click Save (Fig. 7.).
Fig. 7. Choosing the option to allow users to grant consent to third party apps’ accessing their data.
If the solution above resolved the problem and the user is able to sign in to the signature management app, you can return to your previous settings.
(Optional) Allowing user consent for apps in the Microsoft Entra admin center
Use the Microsoft Entra admin center to allow users to grant consent to third-party applications on their own.
Important
By following the steps below, you will restore the default user consent settings in the Microsoft Entra admin center. However, as indicated by Microsoft, doing so can pose risk in some situations, so make sure there are appropriate security measures implemented in your organization and that user consents are regularly and carefully monitored.
- Sign in to the Microsoft Entra admin center.
- Go to Azure Active Directory (or Identity) > Applications > Enterprise applications > Consent and permissions (Fig. 8.).
Fig. 8. Accessing the Consent and permissions settings page.
- Under User consent for applications, select Allow user consent for apps and click Save (Fig. 9.).
Fig. 9. Allowing users to grant consent for apps on their own.
| Related products: | CodeTwo Email Signatures for Office 365 1.x |
| Categories: | How-To |
| Last modified: | July 14, 2023 |
| Created: | May 28, 2020 |
| ID: | 869 |
