Outlook Permission Settings Any Advice?

**victor** · 02-13-2025, 03:57 PM

You did not include an error code, so it is difficult to advise. Please do the following:

- Enable Debug mode: https://docs.espocrm.com/administrat...ng/#debug-mode.
- Reproduce the error.
- Send the EspoCRM error log. EspoCRM log files are located in {ESPO_ROOT}/data/logs/ directory. Most errors are logger there.
- Additionally:

Send a full-screen screenshot from Administration > System Requirements.
Specify which version of EspoCRM i Outlook Integration extension you are using.

**jeffreysgrossman** · 02-13-2025, 07:07 PM

Hello victor

Thank you so much.. This is what I got back from our Admin....

It's not an error that's explicitly occurring in EspoCRM. The problem is in the Microsoft auth request you're generating you're including the query parameter "prompt=consent", which is forcing individual users to consent even though an admin has already granted tenant-wide consent. This is a problem because Microsoft's security best practices recommend blocking users from authorizing OAuth apps (which we do), so instead of being able to get a token, they indefinitely get sent to the request permission screen. If you could just include an option to disable that query parameter (or point us to the existing setting if it exists), that would solve our problem. If you don't include the consent parameter, it will only prompt the consent if needed instead of doing so every time.

Screen shot of what is being talked about attached..

"that list bit needs to not be there and then I works fine (which was tested to confirm)"

Does that all make sense?

Also for clarity:
EspoCRM V9 (latest version update)
Outlook Extension: 1.3.6

Attached Files

**jeffreysgrossman** · 02-19-2025, 04:15 PM

victor Here is what we have once we turned on error log. This is from my Admin:

This is the section of the code I need them to change in their outlook.js. script (I need a toggle to not include the prompt: 'consent' parameter.):

this.popup({
path: endpoint,
params: {
client_id: this.clientId,
redirect_uri: this.redirectUri,
scope: this.getMetadata().get(['integrations', 'Outlook', 'params', 'scopeMail']),
response_type: 'code',
access_type: 'offline',
prompt: 'consent',
}

JS Console:

HTML Code:

Object { error: "access_denied", error_subcode: "cancel", error_description: "AADSTS65004%3a+User+declined+to+consent+to+access+the+app." }
outlook.js:87:29
    actionConnect https://crm.ayrwellness.com/client/custom/modules/outlook/src/views/inbound-email/panels/outlook.js?r=1739903861:87
    interval https://crm.ayrwellness.com/client/custom/modules/outlook/src/views/inbound-email/panels/outlook.js?r=1739903861:189

Button I clicked:

Error Log attached..

But to sum it up we are asking to have an option to turn off the constant parameter so we can uphold Microsoft Preferred Permission Policy. Please let us know what you find out and if you are able to reproduce this.

Thank You,

Attached Files

espo 1.log (25.5 KB, 7 views)

**victor** · 2025-02-20T11:43:27+00:00

From your log:

HTML Code:

INFO: Auth: Trying to login as user 'you_email_address.com' by token but token is not found

- User who is trying to connect to a Personal/Group Email Account or in an External Account must have a valid license in office365.
- The rest of the settings are described in our documentation: https://docs.espocrm.com/extensions/...-administrator + additionally you can view this post: https://forum.espocrm.com/forum/exte...dule#post87562, where the main errors during connection are discussed. If you have already completed a certain number of steps in these instructions, you can specify which one you encountered an error on.
- You may also be interested in the discussion How Shared Mailbox in Office 365 integrate with Outlook Integration extension: https://forum.espocrm.com/forum/exte...tion-extension.

**jeffreysgrossman** · 2025-02-20T16:54:35+00:00

Hello victor thank you for your info.

It seems like we are not quite aligning on this. We have tested removing the one line of code in the extension and it works. This is due to our strict Microsoft Policy for Not Allowing our Employees to approve apps themselves. That means that the current code that has the [prompt: 'consent] is forcing the employee to try and approve the app (EspoCRM) but they are not allowed due to our Strict Microsoft Policy. We are requesting that you understand that when you run your Microsoft Corporation Setup to not allow users to approve apps and instead only have Admins approve all apps, the setting in the EspoCRM Outlook Extension is the problem with that..

We think this might be a niche situation when an organization has set up their Microsoft Environment to not allow the users to approve apps..

It seems like you are not acknowledging this part of what we are describing. If I am wrong I am sorry. We can remove the single line of code on our own. We jsut will need to remember to do it each time there is an upgrade. Not exactly ideal. But not the worst thing in the world..

Hoping this all makes sense and possibly helps someone else who runs into this issue.

We have reviewed all the screen shots you have sent over.. But none of them seem to help with this issue. Please let us know if we are wrong.

**jeffreysgrossman** · 2025-02-21T15:42:33+00:00

Got news that this will be a feature in the next update to allow for this type of configuration with Microsoft. That is amazing news. Appreciate the assistance very much!!!!

Feature Being added to update:

Outlook Permission Settings Any Advice?

Outlook Permission Settings Any Advice?

Comment

Comment

Comment

Comment

Comment

Comment