Need Admin Approval Popup When Using Microsoft Teams Scope Activity

How to handle the Need admin approval popup when using Microsoft Teams Scope Activity?

Issue Description: Need Admin Approval popup as shown below when using Microsoft Teams Scope Activity

1.jpg



Resolution: UiPathStudioO365App application requires one or more permissions which only Global Admin can consent for. There are some permissions for which standard users can request admin review and consent.

If the application needs high-level permission, Azure admins can enable users to request admin consent to apps they are unable to consent to​.

From the Admin portal, go to Admin Centers > Azure AD > Users > User Settings then make sure "Users can request admin consent to apps they are unable to consent to​" is enabled.

  • If this option is set to yes, then users request admin consent to any app that requires access to data they do not have the permission to grant.
  • If this option is set to no, then users must contact their admin to request to consent in order to use the apps they need.

The setting to enable Users to request admin consent to apps they are unable to consent to​ is shown. Arrows point to the menu items in Azure.


Once enabled,
Options to select users, groups, and roles to receive approval requests, reminders, and request expiration are enabled.

Instead of enabling a user to consent to app access, Microsoft has provided more granular permission through an admin request, allowing Azure admins to identify which users, groups, and/or roles are to receive these consent requests and reminders, as well as set expiration limits on requests.

As this requires identifying the approval authorities within the organization, most will require a governance review that may take up to several weeks.

If the goal is to deploy the process to an unattended robot using Application permissions, guidance on limiting application permissions to specific Exchange Online mailboxes can be found here, Limiting Applications Permissions To Specific Exchange Online Mailboxes.

Note: The above screenshots may vary depending upon the version being used.

For more controlled access (the above method allows users to add any apps), I used the following method (as a Microsoft admin). This allows the best of both worlds - users can access and Admin knows what apps they are giving permission to!

MICROSOFT ADMIN

  1. Microsoft Admin Centre > Azure Active Directory Administration

  2. Users > User Settings

  3. Enterprise Applications > click on “Manage how end users launch and view their applications”
    image

  4. Look under the ‘Admin consent requests’ area
    a. Check “Users can request admin consent to apps they are unable to consent to” to YES
    b. enter the admin user or group
    image

  5. Save

USER
6. The original user then needs to try and log into cloud.uipath.com with Microsoft sign on. Now, they will be presented with a screen which asks them for why they want access to the app.

  • This gets sent to the Microsoft admin for approval

MICROSOFT ADMIN
7. The Admin gets an email and in a few clicks can provide access to the App via Azure.

  • To confirm, check that the App shows up on the Azure Active Directory - Enterprise applications window
    image

USER
8. Login at cloud.uipath.com
NOTE: the needs a UiPath license and to be added to the appropriate organization. It is recommended they sign in using the email invite they received from UiPath on an incognito/private browser.

Hope this helps!!