"You can't access this application" when authenticating as service account

If the pop up window from Microsoft results in something like "Robin Powered Service needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it" or a status code of AADSTS90094, you may need to update your Office 365 settings to allow non-admins to sign in to apps like Robin.

authorization-admin-error-robin.jpg

Why does this happen?

The most common cause is users not having permission to complete OAuth consent screens for applications, unless they are an admin within your Office 365 tenant. Enterprise apps like Robin use OAuth as a more secure way to authorize scoped access to your Office 365 tenant calendars vs. username and password.

How can I allow the service account to authenticate?

The easiest way to allow your service account to connect is to enable user access to Enterprise apps. From your Office 365 Admin portal, go to Admin Centers > Azure AD > Users and Groups > User Settings then make sure "Users can consent to apps accessing company data on their behalf" is enabled.

enterprise-application-access-enabled.jpg

Do I need to leave this setting enabled for everyone?

Once you enable this setting, you should be able to complete the authentication process with the service account in Robin, and users signing in via Office 365 SSO. If you do not plan on using Office 365 for SSO in Robin, you can disable this setting once the service account is connected successfully.

Pro Tip

Comfortable with advanced configurations in Office 365? You can also create a group policy to override this setting for specific users (i.e. the Robin service account) instead of toggling tenant-wide.

References

Did this article help?