<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Authorize the Office 365 Mail Connector in Workflows with a Regular User Account
Jan 22, 2026
Workflows
Okta Classic Engine
Okta Identity Engine
Overview

This article summarizes the available options for authorizing the Office 365 Mail connector with a regular O365 user account rather than a Global Administrator account. Note that all options require some initial configuration steps that must be completed by a Global Administrator account. See the Office 365 Mail Authorization documentation for additional details.

Applies To
  • Workflows
  • Office 365 Mail connector
  • Office 365 Mail for Okta Workflows app
  • Office 365 Mail for Okta Preview app
Cause

When attempting to create or authorize an Office 365 Mail connection as a regular user account, the following message might be received, indicating that approval is required and the connection cannot be authorized:

Admin Approval

 

Solution

To authorize the Office 365 Mail connector as a regular user account, there are three different options.

 

Option 1 - Grant consent on behalf of the organization using a Global Administrator account

This option requires a Global Administrator to grant tenant-wide admin consent when initially creating the O365 Mail connection:

  1. Create the Office 365 Mail connection using a Global Administrator account and check the Consent on behalf of your organization checkbox:
    Consent on behalf of your organization checkbox  

  2. Click Accept, and when the Office 365 Mail for Okta Workflows or Office 365 Mail for Okta Preview app is installed in Azure Active Directory, tenant-wide admin consent will be granted, and any user will be able to create a new connection or reauthorize an existing connection.

  3. If admin consent was not granted when the connection was first created, there might be no prompt with the consent screen again. A Global Administrator can grant admin consent in the Azure Portal as follows:

    1. Navigate to Microsoft Entra ID > Enterprise Applications.

    2. Click on the Office 365 Mail for Okta Workflows or Office 365 Mail for Okta Preview app.

    3. Under the Security section, select Permissions.

    4. On the Admin consent tab, click the Grant admin consent for {tenantName} button.

 

Option 2 - Enable the admin consent workflow in Microsoft Entra ID

This option allows the user to request admin approval for tenant-wide admin consent from the consent screen when creating the connection:

  1. Login to the Azure Portal using a Global Administrator account.

  2. Navigate to Microsoft Entra ID > Enterprise applications.

  3. Under the Security section, select Consent and permissions.

  4. Click Admin consent settings and set Users can request admin consent to apps they are unable to consent to to Yes, and click Save.

  5. Specify the Users, Groups, and Roles that can review consent requests.

  6. In workflows, create a new Office 365 Mail connection using a regular O365 user account.

  7. At the consent screen, an Approval required message will appear.
    Enter Justification  

    1. Enter a justification for requesting the app.

    2. Click the Request approval button.

  8. A Request sent message will appear (note that the connection will not be created).
    Approval Request Sent  

  9. When the request is actioned by the admin, an email notification indicating the action taken will be received.

  10. If the request was approved, tenant-wide admin consent has been granted, and any user will be able to create a new connection or reauthorize an existing connection. For additional information on enabling the admin consent workflow, see the Microsoft documentation Configure the admin consent workflow.

 

Option 3 - Allow Consent for applications

This option allows granting tenant-wide admin consent for specific apps with selected permissions or for all apps:

  1. Log in to the Azure Portal using a Global Administrator account.

  2. Navigate to Microsoft Entra ID > Enterprise applications.

  3. Under the Security section, select Consent and permissions.

  4. Click User consent settings and choose the desired User consent for applications option.

  5. If using the Allow user consent for apps from verified publishers, for selected permissions (Recommended) setting, add the following permissions to the Low Permission classification:

    1. Mail.ReadWrite

    2. Mail.ReadWrite.Shared

    3. Mail.Send

    4. Mail.Send.Shared

    5. offline_access

  6. Click Save to save the changes.

  7. Any user will be able to create a new connection or reauthorize an existing connection and successfully consent to permissions.

For additional information on allowing user consent for applications, see the Microsoft documentation Configure how users consent to applications.


Related References

Recommended content

Still looking for help?
Loading
How to Authorize the Office 365 Mail Connector in Workflows with a Regular User Account