How to fix the ‘Need admin approval’ error while trying to sign in to the signature management app
Problem:
While trying to sign in to the signature management app, a user receives the following error:
Need admin approval. CodeTwo Email Signatures for Office 365 User Logon needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
Solution:
First of all, make sure that this user has been added to the signature management app users list in the CodeTwo Admin Panel (learn more). If yes, and the problem persists, this might mean that application options in your Microsoft 365 organization are preventing users from using the CodeTwo application. You can access these options to resolve this problem in three different ways, by using either the Azure portal or the Microsoft 365 admin center. The changes you will be making are in fact restoring the default Microsoft 365 settings.
- Granting consent on behalf of all users in the tenant
- Enabling app registration by users in the Azure portal
- Allowing users to choose if an app can access their information
Tip
You can also configure the admin consent workflow in the Azure portal as discussed in this Microsoft article. This will enable an Azure AD workflow designed specifically for users to request admin approval for an application they are not authorized to consent to on their own, and for the admin to grant such approval. Optionally, you can allow users to grant this consent on behalf of themselves, as described below in this article.
Granting consent on behalf of all users
As an administrator, you can grant an app the permissions to your organization and its data centrally on behalf of your users. To do so, proceed as follows:
- Log in to the Azure Active Directory admin center.
- Click All services in the menu on the left and then Enterprise applications (Fig. 1.).
Fig. 1. Accessing the enterprise applications settings.
- Search for the signature management app on the list by typing e.g. manage in the search box. Once found, click CodeTwo Email Signatures for Office 365 - Manage Signatures App to access its settings (Fig. 2.).
Fig. 2. Opening signature management app settings in Azure Active Directory admin center.
- Choose Permissions from the menu on the left and click the Grant admin consent for <your tenant name> button (Fig. 3.).
Fig. 3. Launching the pop-up where you can grant admin consent on behalf of your organization.
- The pop-up to grant organization-wide consent will open. Choose your admin account and accept the permissions requested by the app (Fig. 4.).
Fig. 4. Granting the requested permissions on behalf of all the users in your organization.
From now on, no user will be prompted to consent to the permissions when using the application.
Enabling app registration by users in the Azure portal
Use the Azure portal to allow users to register applications. To do this:
- Log in to the Azure Active Directory admin center.
- Click Azure Active Directory in the menu on the left and then click Users as shown in Fig. 5.
Fig. 5. Accessing the Users page in Azure Active Directory.
- Go to User settings and under App registrations select Yes (Fig. 6.).
Fig. 6. Allowing users to register applications in Azure AD.
If the solution above resolved the problem and the user is able to sign in to the signature management app at app.codetwo.com, you can return to your previous settings.
Allowing users to choose if an app can access organization's data
Use the Microsoft 365 admin center to allow users to let third-party apps access their information. Follow the steps below to do so:
- Log in to the Microsoft 365 admin center.
- In the left menu, go to Settings > Org settings. Next, on the Services tab, locate the User consent to apps item and click it (Fig. 7.).
Info
If you can’t see Settings in the left-hand menu, click Show all.
Fig. 7. Accessing the setting to let users provide consent to third party apps.
- In the pane that opens, select the checkbox and click Save (Fig. 8.).
Fig. 8. Choosing the option to allow users to grant consent to third party apps’ accessing their data.
If the solution above resolved the problem and the user is able to sign in to the signature management app, you can return to your previous settings.
(Optional) Allowing user consent for apps in the Azure portal
Use the Azure portal to allow users to grant consent to third-party applications on their own.
Important
By following the steps below, you will restore the default user consent settings in Azure portal. However, as indicated by Microsoft, doing so can pose risk in some situations, so make sure there are appropriate security measures implemented in your organization and that user consents are regularly and carefully monitored.
- Log in to the Azure Active Directory admin center.
- Go to Enterprise applications > Consent and permissions > User consent settings.
- Under User consent for applications, select Allow user consent for apps and click Save (Fig. 9.).
Fig. 9. Allowing users to grant consent for apps on their own.
Related products: | CodeTwo Email Signatures for Office 365 1.x |
Categories: | How-To |
Last modified: | June 8, 2022 |
Created: | May 28, 2020 |
ID: | 869 |