Microsoft 365 Error During SSO "Microsoft Graph Client needs permission to access resources in your organization that only an admin can grant."
Jul 4, 2025
Okta Integration Network
Okta Classic Engine
Overview
When attempting to access Microsoft Teams through Okta federation, users are receiving the following error:
You can't access this application
Okta Microsoft Graph Client needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
Applies To
- Office 365 (O365 / M365)
- Microsoft Teams / other Microsoft applications integrated with Okta
- Federation
- Okta Classic Engine
Cause
Microsoft Graph Client API credentials must be provided or re-authenticated.
Solution
To re-authenticate or provide credentials for the Microsoft Graph Client API:
- Access the Okta Admin Console.
- Click on Applications, and then click the affected Microsoft 365 application.
- Click on the Sign On tab.
- Click Edit and scroll down to the API Credentials section.
- Next to the Advanced API Access option, click Authenticate with Microsoft Office 365 or Re-authenticate with Microsoft Office 365.
- Enter the credentials of a global administrator for the Microsoft 365 tenant.
- It is highly recommended that this be an account that is not federated with Okta. Such accounts are easily identified by having onmicrosoft.com in the domain (for example,
<admin>@<company>.onmicrosoft.com)
- It is highly recommended that this be an account that is not federated with Okta. Such accounts are easily identified by having onmicrosoft.com in the domain (for example,
- Click Save.
