Admin Consent for Advanced API Access

Office 365 Admin Consent for Advanced API access

When setting up an Office 365 (O365) appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. instance, some apps require Okta to have unique access to Office 365 tenants and their usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control.’ information for a successful sign in to their chicletsThe "buttons" that appear on an end user's Home page and represent each application they wish to access through Okta. Clicking the chiclet allows the end user to instantly sign in and authenticate themselves into their chosen app.. The O365 AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. consent for Advanced API Access feature is an optional setting that allows admins to complete the consent flow with O365, a step required for signing into these special O365 chiclets using OAuth based sign on. 

The following apps require this admin consent for Advanced API access:

  • Yammer
  • CRM
  • Teams
  • Stream
  • Forms  

Grant Admin Consent for the First Time

To allow for API access

  1. From the Administrative Dashboard, click the Applications drop-down menu.
  2. From the Applications page, find your Office 365 instance.
  3. Open the Office 365 instance to view its page. 
  4. Click the Sign On tab. 
  5. Under Settings, click the Edit button, and scroll down to the API Credentials section. 
  6. Click the Allow administrator to consent for Advanced API access check box. 
  7. The Authenticate with Microsoft Office 365 button appears.  

  1. A pop-up browser appears, and requires a Microsoft account credential. Sign in as a Global Administrator for your Microsoft tenant.

Note: Only Global Administrator level admins can grant these permissions.  

  1. Read the instructions listed on the Okta Microsoft Graph ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin.  page.

  1. Click the Accept button.   

Note: If the Allow administrator to consent for Advanced API access check box remains checked, but the steps to grant consent from Microsoft are not completed after saving, an error message appears.

If this error message appears, you can either complete the process or uncheck the Allow administrator to consent for Advanced API access check box.  

After initial Granting of Admin Consent

Re-authenticate Admin Consent

Re-authentication is required when a new app link requiring OAuth authentication is checked by the admin on the General tab. When an Office 365 app instance is already in use and access has been granted before, the Allow administrator to consent for Advanced API access check box will be checked, but the button displays as Re-authentication with Microsoft Office 365