Tuesday, March 19, 2024

[RESOLVED] iOS accounts needs permission to access resources in your organization that only an admin can grant

You just try to configure a new iPhone / iPad on your brand new Exchange Online environment (part from Office 365) however during the setup you received the error “IOS accounts needs permission to access resources in your organization that only an admin can grant”

The issue here is caused by the “user and admin consent” (more infos here) and there are three options to solve that.

1.) proceed with the installation on the iOS device. You will be prompted to enter the credentials from an Global administrator. However in an enterprise environment it isn´t that feasible, so head over to solution nr.2

2.) Another option would be to login as Global administrator to the office Admin center, go to Admin Centers -> Azure AD. Inside the Azure AD admin center go to “users and groups” -> “user settings” and you could change the option “Users can consent to apps accessing company data on threi behalf” from NO (default) to YES. However this might limit your security and wouldn´t be that feasible, so head over to solution nr. 3

3.) The best solution when this kind of issue happen is the following:

3a.) Go To Settings on the iPhone from the affected user

3b.) Go to “Accounts & Passwords”

3c.) tab on “Add Account”

3d.) Choose Exchange

3e.) Enter the email address from the affected user

3f.) You will then be redirected to an Microsoft login page where the user should enter a password. On the bottom from that page you have the option to send the URL to a user. Instruct the user to send that URL to one Office 365 administrator. The URL should look like the following:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=f8d98a96-0999-43f5-8af3-69971c7bb423&redirect_uri=com.apple.Preferences://oauth-redirect&scope=EAS.AccessAsUser.All&ui_locales=en-gb&prompt=login&display=ios&login_hint=blocks@contoso.onmicrosoft.com&resource=https://outlook.office365.com

3g.) Once you get the URL, open a browser (and login into the Office Admin Center with an global admin account). Now you need to modify the URL you got.

3h.) Change the section “prompt=login” to “prompt=admin_consent”

3i.) remove the “login_hint=blocks@contoso.onmicrosoft.com&” section

3j.) now copy the modified URL and past it into the browser you have open

3k.) You will now be prompted to accept that


3l.) Once done the browser try to redirect you to the iOS device, however on your PC this will fail, but the needed action is performed.

3m.) Now back to the user, he now can enter his password and the setup will be completed without the error message the user got before.

 

 

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay Connected

35FollowersFollow
- Advertisement -

Latest Articles