Authorization

When you add an Office 365 Mail card to a flow for the first time, you'll be prompted to configure the connection. This helps you to connect your Office 365 Mail account, save your account information, and reuse the connection for future Office 365 Mail flows. Create a connection using an Office 365 Mail admin account or an Office 365 Mail user account. Okta recommend that you use an Office 365 Mail admin account when creating a connection for the first time.

• Create a connection with an Office 365 Mail admin account

• Create a connection with an Office 365 Mail user account

• Prohibit users from creating new connections

• Re-authorize a connection

Create a connection with an Office 365 Mail admin account

1. Click New Connection.

2. Enter a Connection Nickname. This is useful if you plan to create multiple Office 365 Mail connections to share with your team.

3. Click Create.

4. Log in to your Office 365 Mail account to authorize the connection.

5. Select one of the following options:

   1. As an admin you don't want regular users to create connections. Click Accept and make sure that the Consent on behalf of your organization option is not selected.

   2. As an admin you want regular users also able to create connections. Click Accept and make sure that the Consent on behalf of your organization option is selected. All user accounts in your organization can create connections on their own.

Create a connection with an Office 365 Mail user account

1. Click New Connection.

2. Enter a Connection Nickname. This is useful if you plan to create multiple Office 365 Mail connections to share with your team.

3. Click Create.

4. Log in to your Office 365 Mail account to authorize the connection.

5. Select one of the following options:

   1. Can accept the permissions requested directly.By selecting this option, the admin allows regular user consent for this Okta app.

   2. Need admin approval. Contact your admin to grant you access to the application. See Consent for all apps or Grant tenant-wide admin consent

   3. Need to submit an approval request. Enter justification for requesting this app in the space provided. See Enable the admin consent workflow.

6. Click Accept.

Admin app approval

Admins can grant Okta app access to regular user accounts. If an admin forgot to select the Consent on behalf of your organization option and then clicks Accept when configuring a connection, the authorization page might not display using the same admin account. This occurs because the connection was authorized by the Okta app and is remembered by the system.

The following information provides additional ways for an admin to grant Okta app access to regular user accounts.

Consent for all apps

Allow user consent for all apps, or for apps from verified publishers, for selected permissions. Configure permissions as Global Admin only. See Configure how users consent to applications.

1. In the Azure Portal, select Azure Active DirectoryEnterprise applicationsConsent and permissionsUser consent settings.

2. Select one of the following permissions options:

   • Allow user consent for apps. This is a less secure option.

   • Allow user consent for apps from verified publishers. This is a secure option. Configure the following permission as low impact:

   • Mail.ReadWrite
   • Mail.ReadWrite.Shared
   • Mail.Send
   • Mail.Send.Shared
   • offline_access

3. From Enterprise applications go to the Admin consent requests page and review and grant access.

Grant tenant-wide admin consent

You can grant tenant-wide admin consent for an Okta app only if the Okta app is authorized by your admin account, or any other admin accounts. See Grant tenant-wide admin consent to an application.

1. In your Azure Portal, go to Azure Active DirectoryEnterprise applications.

2. Select one of the following Okta apps:

   • Office 365 Mail for Okta Preview

   • Office 365 Mail for Okta Workflows.

3. Select PermissionsGrant admin consent.
   All regular user accounts in your organization have been granted consent to the Okta app.

Enable the admin consent workflow

Enable regular users to request access to applications that require admin consent. Users won't be able to directly create connections until the request is approved by the admin. Configure permissions as Global Admin only. See Configure the admin consent workflow.

1. In your Azure Portal, select Azure Active DirectoryEnterprise applications.

2. Under Manage, select User settings.

3. Under Admin consent requestsUsers can request admin consent to apps they are unable to consent to, select Yes. See Configure the admin consent workflow.

4. From Enterprise applications go to the Admin consent requests page and review and grant access.

Prohibit users from creating new connections

Remove admin consent that was granted previously by deleting the Okta app in Enterprise applications and then re-authorize it. Deleting the app revokes the admin consent tenant-wide. Revoking individual user consent is not allowed.

All existing connections stop working after one hour. For previously configured admin connections that you want to keep active, manually re-authorize them and use the consent process to avoid connection failure.

1. In your Azure Portal, select Azure Active DirectoryEnterprise applications.

2. Select one of the following Okta apps:

   • Office 365 Mail for Okta Preview

   • Office 365 Mail for Okta Workflows

3. Select Delete.

Admin consents previously granted are revoked and regular users won't be able to create new connections until admin consent is granted.

Re-authorize a connection

If you've used your account to create a connection successfully, you can use this account to create multiple connections. If you've already created connections you can re-authorize these connections as long as there are no configuration changes made by the admin.

Related topics

Office 365 Mail connector

Workflow elements

Guidance for Office 365 Mail connector

Microsoft Graph Rest API