If your organization restricts application consent (common in corporate environments), users will see a message stating 'Approval needed from administrator' when trying to connect Frontline with Microsoft 365. In this case, an administrator must grant tenant-wide admin consent to the application so the integration can function without individual approvals. Note that the application may also be listed as Composio.
Granting tenant-wide consent is a sensitive action: it can enable access to resources for the organization and, by default, allow all users to access the app unless you restrict access with assignment. Therefore, review permissions and document the change.
Steps to Approve the Application
Note: We will use the current Admin Center interface at entra.microsoft.com. Names may vary slightly based on language, licenses, or portal changes, but the base paths remain the same.
Sign in to the Microsoft Entra admin center (entra.microsoft.com) with an account that can grant tenant-wide admin consent.
Go to Entra ID -> Enterprise applications -> All applications.
Search for Frontline or Composio.
Open the application and go to Security -> Permissions.
Carefully review the requested permissions and confirm they fit the expected use.
Select Grant admin consent and confirm the dialog for your tenant.
(Optional) Go to Properties and set Assignment required to Yes; then assign users/groups in Users and groups.
Inform users to try the connection in Frontline again.
Minimum Roles and Permissions
Grant tenant-wide admin consent: Privileged Role Administrator or Cloud Application Administrator.
Enable admin consent requests workflow: Global Administrator.
Review and revoke granted permissions: Cloud Application Administrator or Application Administrator.
View sign-in / audit logs: At least Report Reader.
Post-Installation Checks
Visible granted permissions: In the application (Enterprise applications -> Frontline/Composio -> Permissions), verify that permissions appear as granted.
Successful sign-ins: Check Entra ID -> Monitoring and health -> Sign-in logs and filter by the application to confirm the flow completes without errors.
Functional test from Frontline: A user repeats the connection and confirms the 'Approval needed' message no longer appears.
Troubleshooting
I cannot find Frontline or Composio in Enterprise applications.
This usually happens when the application service principal does not yet exist in the tenant. Start the connection flow from Frontline so the app is provisioned and search again.
The user still sees Approval needed after approval.
Two frequent causes: (1) the app requires Assignment required = Yes and the user is not assigned; or (2) the app has changed permissions and requires new approval.
Security and Governance
Record the change: date/time, who approved, what permissions were granted, and reference the ticket/change.
Periodically review permissions and revoke what is not necessary.
Revocation plan: Revoke app permissions, block sign-ins from Properties, and if necessary, delete the enterprise application.
FAQ
Does approving at the tenant level give access to everyone?
By default, yes, unless you restrict access by requiring assignment.
Can granting consent override previous permissions?
Yes, granting tenant-wide admin consent can revoke previously granted tenant-level permissions for that application.
How do I allow users to request approval from the admin directly from the notice?
Enable the admin consent workflow in Entra and define reviewers.