If the pop up window from Microsoft results in something like "Robin Powered Service needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it" or a status code of
AADSTS90094, you may need to update your Office 365 settings to allow non-admins to sign in to apps like Robin.
Why does this happen?
The most common cause is users not having permission to complete OAuth consent screens for applications, unless they are an admin within your Office 365 tenant. Enterprise apps like Robin use OAuth as a more secure way to authorize scoped access to your Office 365 tenant calendars vs. username and password. You can learn more about service principals and enterprise app permissions in our companion article.
How can I allow the service account to authenticate?
The easiest way to allow your service account to connect is to enable user access to Enterprise apps. From your Office 365 Admin portal, go to Admin Centers > Azure AD > Users and Groups > User Settings then make sure "Users can consent to apps accessing company data on their behalf" is enabled.
Do I need to leave this setting enabled for everyone?
Once you enable this setting, you should be able to complete the authentication process with the service account in Robin, and users signing in via Office 365 SSO. If you do not plan on using Office 365 for SSO in Robin, you can disable this setting once the service account is connected successfully.
Comfortable with advanced configurations in Office 365? You can also create a group policy to override this setting for specific users (i.e. the Robin service account) instead of toggling tenant-wide.
- How to assign users and groups to an application (Microsoft Azure)
- Apps, permissions, and consent in Azure Active Directory (Microsoft Azure)
- Assign a user or group to an enterprise app in Azure Active Directory (Microsoft)