I am creating an n8n workflow but its giving error Need admin Approval. I have set up the permissions ‘openid’,
- ‘offline_access’,
- ‘Contacts.Read’, ( . The permissions in Entra are additive (higher beats lower, Readwrite beats read) so not required tjhat what entra team said )
- ‘Contacts.ReadWrite’ ,
- 'Calendars.Read ',
- ‘Calendars.Read.Shared’,
- ‘Calendars.ReadWri te’,
- ‘Mail.ReadWrite’,
- ‘Mail.ReadWrite.Shared’,
- ‘Mail.Send’,
- ‘Mail.Send.Shared’,
- ‘MailboxSettings.Read’, ( simalrly for this )
whats the issue
Admin has granted access already
This is usually an Entra consent/app mismatch, not a “more scopes” problem. First check that n8n is using the same Azure app/client ID your admin granted consent to, and that the redirect URI in that app matches the n8n OAuth callback exactly.
Ask the admin to open Enterprise applications → your app → Permissions and confirm those delegated permissions show as granted there. If they do, paste only the exact AADSTS error code from the n8n OAuth popup; that code will separate missing admin consent, user assignment, and redirect/app mismatch without exposing any secret.
Welcome @Mugdha_Asgekar!
One thing worth checking in addition to what @oimrqs_ops mentioned: some scopes in your list require admin consent by default, specifically MailboxSettings.Read and Mail.ReadWrite. Even if the admin thinks they’ve granted everything, Azure sometimes silently fails to grant scopes that need an explicit tenant-wide consent grant. Ask the admin to go to Azure Portal > App registrations > [your app] > API permissions, and check whether each scope shows a green checkmark under “Status” - not just that the scope is listed. If any scope shows “Not granted for [tenant]”, that’s your culprit, and the admin needs to click “Grant admin consent for [tenant]” again from that view.
One thing to check: admin consent is tied to the exact Azure app registration, tenant, and redirect URI that n8n is using, not just the permission list.
If n8n is using a different client ID or tenant from the one your admin approved, Microsoft can still show the admin approval screen. I would also clean the scope list before testing again. There are a couple of suspicious entries in the pasted list, like `Calendars.Read ` with a trailing space and `Calendars.ReadWri te` with a space inside the name.
Try a minimal set first, for example `openid`, `offline_access`, `Mail.ReadWrite`, `Mail.Send`, `Calendars.ReadWrite`, and `Contacts.ReadWrite`, then have the admin grant consent for that same app ID and reconnect the n8n credential from scratch.
If it still appears after that, ask the Entra admin to check the Enterprise Application consent record for the same app/client ID that n8n is actually redirecting through.
I checked for all permissions it says status in green ( granted )
The n8n Microsoft Outlook node hardcodes Calendars.Read in its OAuth2 authorize request. These scope strings cannot be edited by the user — there is no scope field on the Outlook credential.
In Azure Entra, permissions are additive — when Calendars.ReadWrite is already registered, Azure greys out Calendars.Read and won’t let you add it separately. Same for MailboxSettings.ReadWrite blocking MailboxSettings.Read.
