Symptom
Your user is going to authenticate on Groupware server side integration via Office 365, but is not able to because of a message stating "Need admin approval".
"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."
Environment
SAP Cloud For Customer
Reproducing the Issue
- Go to E-mail Integration Work Center.
- Click on User Settings view.
- Sync Settings.
- E-mail Configuration.
- Click on Change button.
Cause
The issue occurs because of the settings on your Azure environment, on Azure Active Directory > Enterprise applications> User settings, option "User can consent to apps accessing company data on their behalf" is set to "No".
Resolution
There are three ways of resolving this:
Method 1 (Grant Admin Consent for Server-Side integration)
1. Log-on into Azure AD using admin account.
2. Go to "Enterprise Applications" and find "SAP Cloud for Customer, server-side integration" in the list. (Note, application may not be present in the list, if none of the users previously consented the app on his behalf. Refer to method 2 to proceed further).
3. Go to "Permissions" tab and click "Grant Admin consent for %CompanyName%".
4. Log-in with Office 365 admin account and click "Accept".
5. "Signed In successfully" message should be displayed.
6. In "Admin Consent" tab on the application page a list of consented permissions will be displayed.
7. Now, standard user can go to "User Settings" in C4C and grand access to his mailbox.
Method 2 (Office 365 administrator can consent application during initial log-in):
1. Office 365 administrator should be a C4C user and should be provisioned as server-side integration user.
2. Log-on into C4C as Office 365 administrator.
3. Go to "User Settings" > "Change settings" in "MAIL SERVER CONNECTION STATUS".
4. In Office365 oauth log-in dialog, log-in with Office 365 administrator account.
5. On "Permissions Required" dialog checkbox "Consent on behalf of your organization" and click "Accept".
Method 3 (Allow users to consent applications back on their behalf):
1. Log-on into Azure AD using admin account.
2. Go to Enterprise applications> User settings.
3. Switch “User can consent to apps accessing company data on their behalf” to "Yes".
Note, when this setting is enabled, users can consent any 3rd party applications, which may not meet company security policies.
Keywords
Server Side; Groupware; Admin; Azure; Exchange Administrator; Login; OAuth; Office 365; Outlook; , KBA , LOD-CRM-GW-SCC , Invisible CRM - Smart Cloud Connect Solution , How To