If you try to connect or re-authenticate your Microsoft 365 / Outlook email in ClientSuccess and Microsoft blocks it with "Need admin approval" or "Approval required," your organization requires an administrator to grant consent for the permissions ClientSuccess requests — and the connection won't complete until the full set of permissions is approved.
Symptoms
A Microsoft sign-in screen says "Need admin approval," "Approval required," or "AADSTS65001 / consent required."
Email stops syncing into the Engagement module and won't reconnect.
Your IT team granted admin consent, but ClientSuccess still shows the connection as disconnected or unauthorized.
Cause
ClientSuccess connects to Microsoft 365 over OAuth and requests these permission scopes:
User.Readoffline_accessMail.ReadMail.SendCalendars.Read(only if you also connect calendar)
Many Microsoft tenants have admin consent required turned on, so a regular user can't approve these — a Microsoft 365 / Entra ID (Azure AD) admin must. The most common reason consent "doesn't take" is that the enterprise application's granted permissions are missing one or more scopes (often offline_access or User.Read). Without offline_access in particular, the connection can't refresh its token and will keep dropping even after a one-time approval.
Solution
Option 1 — Grant admin consent for the full permission set (most common fix)
Have a Microsoft 365 Global Administrator sign in to the Microsoft Entra admin center → Identity → Applications → Enterprise applications.
Find the ClientSuccess application and open Permissions.
Confirm all of these are listed and granted:
User.Read,offline_access,Mail.Read,Mail.Send(andCalendars.Readif using calendar).If any are missing, click Grant admin consent for [your org] to approve the complete set.
Back in ClientSuccess, go to My Settings → Email Integration and reconnect. Complete the Microsoft consent prompt when it appears.
Tip: If your admin already approved consent but the enterprise app shows only a partial scope list (e.g. Mail.Read, Mail.Send, Calendars.Read but not offline_access/User.Read), that partial grant is the problem. Re-run Grant admin consent so the full list is approved.
Option 2 — Fully reset the connection after consent is granted
If admin consent is in place but it still blocks, ClientSuccess may be reusing an old cached session.
In ClientSuccess, go to My Settings → Email Integration and click Disconnect.
Sign out of Microsoft 365 in that browser (or use a fresh/incognito window).
Return to My Settings → Email Integration and click Connect, then complete the consent flow.
Multi-factor authentication (MFA) and Conditional Access
If your organization enforces MFA or Conditional Access, complete the MFA challenge during the connect flow. If a Conditional Access policy blocks third-party app sign-ins, your admin may need to allow the ClientSuccess enterprise app. This is configured by your Microsoft admin, not within ClientSuccess.
Verify it worked
The Email Integration screen shows your account as Connected.
A test email to/from a customer appears in that customer's Engagement timeline within the normal sync window.
Prevention
Have an admin grant consent for the full scope list at initial setup, not just
Mail.Read/Mail.Send.After a Microsoft password reset or security policy change, reconnect under My Settings → Email Integration — token changes can drop the connection.
Related articles
Connecting an Office 365 or Outlook Account
Updating your Microsoft 365 Integration Credentials
Fix: Microsoft 365 / Outlook email stopped syncing — re-authenticate your ClientSuccess connection
Troubleshooting Missing Emails
Email Integration FAQs