Skip to main content
All CollectionsTroubleshooting
Troubleshoot: Microsoft permission issues for IT Admins
Troubleshoot: Microsoft permission issues for IT Admins

Correct configuration settings in Microsoft Entra to ensure users are able to grant consent to Fellow.

Amin Mirzaee avatar
Written by Amin Mirzaee
Updated over a week ago

If you are a IT admin, and looking to troubleshoot your user's being unable to log into Fellow, you've come to the right place!

Issues Logging into Fellow

The vast majority of issues with users logging into Fellow and granting permissions to sync their calendar from a Microsoft environment stem from configuration issues within Microsoft Entra.

The most common symptoms of these configuration issues is your users receiving some kind of error message asking for admin approval. Sometimes they'll have the ability to make an admin consent request, and other times they'll be given no options.

Step 1: Ensure users are able to request consent

Even if users are not able to grant consent by themselves, you want to ensure they have the ability to take advantage of workflows built into Microsoft Entra that allow for users to directly request admin consent. Once this is configured correctly, users will see a "Request Access" button if they are otherwise unable to grant access to the app themselves.

You can find the correct settings in Microsoft Entra by navigating to the following location:

Enterprise applications > Consent and permissions > Admin consent settings

You must ensure that Admin consent requests are enabled. See the below image as a reference.

For more details on how to set up an admin consent workflow, visit this Microsoft help article.

Step 2: Ensure users are able to grant consent by themselves

Microsoft Entra allows you to configure when end users are allowed to grant consent to applications by themselves, and when they require an administrator to grant it. Misconfiguration of these settings is the cause of most issues encountered by organizations using Fellow.

To validate that you have the correct settings specified, navigate to the following location within Microsoft Entra:

Enterprise applications > Consent and permissions > User consent settings

You must ensure that you choose the correct option for your organization. See the below image as a reference.

There are 3 options on this page:

  1. Easiest - Allow user consent for apps
    The easiest option is to Allow user consent for all apps. This option also gives your users the most control, but, depending on your organizations policies, carries additional risk. If you are a small organization without stringent compliance requirements, this might be your best bet.
    ​

  2. Best for security - Allow user consent for apps from verified publishers, for selected permissions
    This option limits the granting of consent to verified publishers, for a limited set of permissions classified as Low Impact. Fellow Insights Inc is a verified publisher in the Microsoft ecosystem, so that part is fine. Choosing this option however, requires that you have permission classifications for different permissions applications may request. For this option to work for your organization, it requires that you to manually classify all the permissions that Fellow uses to the Low risk category (see below).
    ​

  3. Not recommended - Do not allow user consent
    This simply prohibits users from installing any application. If this option is selected, you must either allow users to request consent (see step 1 above), or you can choose to grant admin consent (see step 3 below).

More details can be found on the Microsoft help center: Configure user consent settings.

Step 2A: Ensuring Fellow's permission are classified as Low Risk

Note: You only need to do this step if you chose the second option in step 2.

To add the permissions required by Fellow, visit the following location:

Enterprise applications > Consent and permissions > Permission classifications

You must that all the permissions required by Fellow are enabled for your organization. See the below image as a reference (correct permissions circled). For each of the permissions, the "API used" column should read either Fellow.app, or Microsoft Graph.
​

If you are missing any of the required permissions (offline_access, openid, profile, User.Read, Calendar.ReadWrite), add them by performing the following steps. Note that your users will require additional permissions if you choose to integrate Fellow into Microsoft Teams.

Make sure you're viewing the permissions for the Low tab. Click the Add Permissions button, then select APIs my organization uses. From there, search for Fellow.app (app id f6671df0-1909-428c-91f7-1c42df04d3e4) using the search box provided and select it.

You'll see a list of permissions Fellow has requested within your organization. This list may be different depending on your configuration (e.g. if you have the Teams integration installed). Select all the permissions you see and click Add Permissions.

More details can be found on the Microsoft help center: Configure permission classifcation.

Step 3: Grant consent to your whole company (i.e. tenant)

Note: This step is optional, but makes sense to do if you want to ensure users don't run into permission granting issues.

If Fellow is going to be rolled out across your whole organization, or if you simply want to make sure any user that is invited into your organization's Fellow workspace is going to be able to access without issue, you can grant admin consent for your whole Microsoft 365 tenant.

To do this, visit the following location:

Enterprise applications > All applications > Fellow.app

Simply hit the Grant admin consent button, which will open a new window asking for the correct permissions to be granted. For this to work correctly, you will need to log in as an Administrator (of your Fellow workspace) in the same browser first.

Review the list of permissions requested and hit Accept. Note that the specific permissions requested for your workspace may be different that what appears below.

If you require additional assistance, please don't hesitate to have your IT administrator reach out to our support team.

Did this answer your question?