In the Oauth documentation where it states "Here it is very important to login to the email you are trying to configure in the helpdesk. Once logged in as the system email you are trying to configure, you can opt to Consent on behalf of your organization, and then click Accept."

we have usually granted the helpdesk email we're using temporary global admin so it can accept the permissions. However when we remove the temporary global admin permissions our osticket install will being to fail retrieving tickets. If we add global admin back, Osticket begins to work again. We can't have global admin on the helpdesk email as it presents a major security hole. Any help would be appreciated.

    UserOST327

    Why would you need to temporarily grant the access...? If it needs approval then have the admin provide consent via Enterprise Applications.

    Cheers.

      "Why would you need to temporarily grant the access...? " When you say grant access are you referring to giving the helpdesk email global admin permission within office 365 or are you referring to "consent on behalf of your organization".

      As I understand it, the option to "consent on behalf of your organization" only appears as an option if the user signing in, in this case the helpdesk email associated with osticket, has admin privileges within o365. So we grant the admin privileges within office 365 temporarily so we can consent to those permissions, but we don't want to leave that o365 account with admin privileges within o365 when all we need it to do is retrieve email for osticket.

        UserOST327

        Just to clarify, you don’t need to consent on behalf of the organization hence why it says “you can opt to Consent on behalf of your organization”. Simply have the actual admin provide consent via enterprise applications.

        Cheers.

          Thank you for pointing that out. We will run through this again with that in mind and see if we have better luck.

            UserOST327

            If that doesn't work then make sure the admin has added the appropriate Graph permissions and that the admin has provided consent for said permissions. Lastly, you may simply need the admin to assign the email user to the application under Enterprise Applications > All Applications > search for and click on the app > Users and groups > Add user/group.

            Cheers.

              Write a Reply...