3023957 - Need Admin Approval Message On Server Side Integration

Symptom

Your user is going to authenticate on Groupware server side integration via Office 365, but is not able to because of a message stating "Need admin approval".

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

SAP Cloud For Customer

Reproducing the Issue

Go to E-mail Integration Work Center.
Click on User Settings view.
Sync Settings.
E-mail Configuration.
Click on Change button.

Cause

The issue occurs because of the settings on your Azure environment, on Azure Active Directory > Enterprise applications> User settings, option "User can consent to apps accessing company data on their behalf" is set to "No".

Resolution

There are two ways of resolving this:

Method 1 (Office 365 administrator can consent application during initial log-in):

1. Office 365 administrator should be a C4C user and should be provisioned as server-side integration user.

2. Log-on into C4C as Office 365 administrator.

3. Go to "User Settings" > "Change settings" in "MAIL SERVER CONNECTION STATUS".

4. In Office365 oauth log-in dialog, log-in with Office 365 administrator account.

5. On "Permissions Required" dialog checkbox "Consent on behalf of your organization" and click "Accept".

Method 2 (Allow users to consent applications back on their behalf):

1. Log-on into Azure AD using admin account.

2. Go to Enterprise applications> User settings.

3. Switch “User can consent to apps accessing company data on their behalf” to "Yes".

Note, when this setting is enabled, users can consent any 3rd party applications, which may not meet company security policies.

Keywords

Server Side; Groupware; Admin; Azure; Exchange Administrator; Login; OAuth; Office 365; Outlook; , KBA , LOD-CRM-GW-SCC , Invisible CRM - Smart Cloud Connect Solution , How To

Product

SAP Cloud for Customer add-ins all versions ; SAP Cloud for Customer core applications all versions