Why does Pipedrive require Microsoft Admin approval for email sync, and how can it be resolved?
Pipedrive users may encounter a “Need admin approval” or “Admin approval required” error when attempting to enable email synchronization with Microsoft 365 (Office 365). This issue stems from Microsoft’s administrative settings and security policies, not from Pipedrive. Below is an explanation of this error, steps to resolve it, and solutions for specific scenarios.
Root cause of the admin approval prompt
The "Need admin approval" prompt is controlled by your Microsoft tenant settings and results from a policy that restricts third-party applications from accessing organizational user data. Microsoft enforces these policies through Azure Active Directory (Azure AD) or Microsoft Entra, requiring an administrator to grant explicit consent for applications such as Pipedrive. Pipedrive’s email sync uses delegated permissions during authentication, which means it can only access data that the signed-in user is authorized for. If the Microsoft tenant configuration blocks user consent, the application will display an admin approval error.
How to Resolve the Admin approval requirement
Option 1: Enable user consent for applications
Ask your Microsoft/IT administrator to allow users to approve app permissions during the sync process. To enable user consent:
Go to the Microsoft 365 Admin Center or Azure AD admin panel.
Locate the setting for app permissions or user consent.
Toggle the setting to allow users to consent to third-party application permissions on their own.
Retry the connection process in Pipedrive.
This option is best for organizations with more flexible security policies that allow users some autonomy over app permissions.
Option 2: Grant tenant-wide Admin consent
If the organization prefers tighter control over app access, a Microsoft administrator can explicitly grant admin consent for the Pipedrive app at the tenant level. To do this:
Open the Microsoft Entra Admin Center or Azure AD Admin Center with a Global Administrator account.
Navigate to Enterprise Applications and search for "Pipedrive CRM" or locate it using the Application ID.
Select Permissions (or Permissions and Consent) and choose Grant admin consent for [your tenant name].
Approve the confirmation dialog and ensure the "Granted" status appears.
Alternatively, some configurations may require visiting App Registrations to grant consent directly. Once consent is granted, the affected users can retry connecting their Microsoft email account in Pipedrive, and the sync process should complete successfully.
Additional scenarios and FAQs
What if admin consent was granted but the error persists?
If admin consent has already been granted but you still encounter issues, follow these steps:
Verify that the permissions for the Pipedrive app were correctly granted.
Ensure that the user's mailbox and identity have the necessary settings for third-party app access.
Ask your Microsoft admin to investigate further or open a support ticket with Microsoft to verify the tenant’s app authorization configuration.
Why do personal accounts not require Admin approval?
Admin approval requirements typically apply to organizational accounts managed through a Microsoft tenant. Personal email accounts, such as individual Gmail accounts, generally do not have such restrictions.
Why do other users in my organization not see the same error?
Some Microsoft tenant configurations restrict admin consent at the user level. In such cases, permissions may need to be enabled individually, or the admin must modify the tenant-wide consent policy to avoid inconsistencies across users.
How does delegated permission impact Email Sync?
Pipedrive uses delegated permissions, which means the app only acts on data accessible to the signed-in user. This method ensures that permissions for sync are limited in scope and provide no additional access unless explicitly granted by the tenant admin.
Key notes for IT teams
Permissions: Ensure that tenant-level settings allow for app permissions and user delegation policies.
Security: Organizations concerned about data security can review Pipedrive’s requested scopes in their Microsoft dashboard before granting consent.
Support: If the Microsoft admin approval process involves unforeseen errors, consult Microsoft’s support documentation or open a ticket for further assistance.
By granting the necessary permissions in the Microsoft admin console, users can seamlessly connect their email accounts to Pipedrive while complying with organizational security policies.