Getting the error below when trying to connect to Outlook, even though the exact same Outlook connection worked a few weeks ago. n8n.cloud is already registered in Microsoft Entra. Permissions were already added in Microsoft Entra: Contacts.Read, Mail.ReadWrite, Mail.Send, Files.ReadWrite, etc.
What is the error message (if any)?
“Need admin approval”
“n8n cloud needs permission to access resources in your organization that only an admin can grant.”
Hi @vabele Welcome!
I Guess the problem is that you have not refreshed your credentials after you have gained Admin access , please consider refreshing your credentials and let us know if the issue persists.
@vabele In your credentials area if you can ‘sign up’ again or just reenter your API-Keys, Auth-Token..etc, Just re enter them and check the connection and then try again.
Revoking your credentials would make this work. Just visit the API area of OutLook and delete existing token and then create another fresh one and everything would work just fine @vabele.
I wasn’t … but it worked before without being one. It’s been a few weeks (since mid-December) … I was off. I have now created a new credential and I’m getting the same error.
@vabele In your the Microsoft Outlook node credential in n8n Cloud click Edit → Reconnect / Refresh OAuth2 complete the Microsoft login with your admin account and save because you are already the tenant admin and n8n.cloud is registered with the right API permissions, simply re‑authorizing the credential updates the stored consent and stops the “Need admin approval” error without any further Entra configuration changes.
@vabele Since you’re already admin and n8n.cloud is registered correctly, ask your tenant’s Global Admin to open the “n8n cloud” enterprise app in Entra → API permissions → click “Grant admin consent for tenant”, then re‑connect the Outlook credential in n8n using that same admin account this will be the last thing we should be checking in credentials, let me know if this works or not.
@vabele
Anshul brought the solutions, I’m describing why.
I researched this and found that the “Need admin approval” error happens because, even though the n8n.cloud app is already registered in Microsoft Entra and has the correct permissions like Mail.ReadWrite and Mail.Send, admin consent has not been granted for the entire tenant. Azure will block the application until a Global Admin clicks “Grant admin consent for tenant” in the app permissions within Entra ID. Without this admin consent, OAuth2 authentication will keep failing with the approval required message, even after recreating credentials or reconnecting in n8n.
Really appreciate the details! The “Grant admin consent for tenant” in the app permissions within Entra ID was already done - the global admin even shared the screen with me. What else can I try in Entra? It was working well a few weeks ago and no change was performed (unless Microsoft changed some defaults in Entra …)
@vabele if that is the case i recommend flagging this as you have already reviewed global permissions and global admin have already checked your cloud instance, reaching out the support team at [email protected] might bring some more clarity.
Hi! Exactly the same situation here, trying to connect an Outlook node via
Microsoft Outlook OAuth2 API, followed the steps from both n8n docs
and the Microsoft docs regarding the granting of admin consent:
Even remade the app with multi-tenant and allowing all tenants, so I will also send an email detailing the error.
Need admin approval
n8n_poc
unverified
n8n_poc needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
I want to inform you that I finally managed to have access and connect the node. Inspect the connection, in the browser (dev tools - network), and you will see the real scope parameters. Mine had a looooooot missing, as my node and application api permissions were built only with reading emails in mind.
So, if anything, at least for me, after adding in the API permissions all the ones that are mentioned in the scope, I was able to connect. (dont forget that after adding the API permissions in Microsoft Entra to ask again your admin to Grant Admin Consent).
