SAP Knowledge Base Article - Public

3023957 - Need Admin Approval Message On Server Side Integration

Symptom

Your user is going to authenticate on Groupware server side integration via Office 365, but is not able to because of a message stating "Need admin approval".

error_message.png

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

SAP Cloud For Customer

Reproducing the Issue

  1. Go to E-mail Integration Work Center.
  2. Click on User Settings view.
  3. Sync Settings.
  4. E-mail Configuration.
  5. Click on Change button.

Cause

The issue occurs because of the settings on your Azure environment, on Azure Active Directory > Enterprise applications> User settings, option "User can consent to apps accessing company data on their behalf" is set to "No".

cause.png

Resolution

There are three ways of resolving this:

Method 1 (Grant Admin Consent for Server-Side integration)

1. Log-on into Azure AD using admin account.

2. Go to "Enterprise Applications" and find "SAP Cloud for Customer, server-side integration" in the list. (Note, application may not be present in the list, if none of the users previously consented the app on his behalf. Refer to method 2 to proceed further).

res1_screen1.png

3. Go to "Permissions" tab and click "Grant Admin consent for %CompanyName%".

res1_screen2.png

4. Log-in with Office 365 admin account and click "Accept".

res1_screen3.png

5. "Signed In successfully" message should be displayed.

res1_screen4.png

6. In "Admin Consent" tab on the application page a list of consented permissions will be displayed.

res1_screen5.png

7. Now, standard user can go to "User Settings" in C4C and grand access to his mailbox.

Method 2 (Office 365 administrator can consent application during initial log-in):

1. Office 365 administrator should be a C4C user and should be provisioned as server-side integration user.

2. Log-on into C4C as Office 365 administrator.

3. Go to "User Settings" > "Change settings" in "MAIL SERVER CONNECTION STATUS".

4. In Office365 oauth log-in dialog, log-in with Office 365 administrator account.

5. On "Permissions Required" dialog checkbox "Consent on behalf of your organization" and click "Accept".

res2_screen1.png

Method 3 (Allow users to consent applications back on their behalf):

1. Log-on into Azure AD using admin account.

2. Go to Enterprise applications> User settings.

3. Switch “User can consent to apps accessing company data on their behalf” to "Yes".

Note, when this setting is enabled, users can consent any 3rd party applications, which may not meet company security policies.

Keywords

Server Side; Groupware; Admin; Azure; Exchange Administrator; Login; OAuth; Office 365; Outlook; , KBA , LOD-CRM-GW-SCC , Invisible CRM - Smart Cloud Connect Solution , How To

Product

SAP Cloud for Customer add-ins all versions ; SAP Cloud for Customer core applications all versions