The “Need admin approval” screen is shown because of Microsoft’s security and consent policies. In many Microsoft 365 tenants, administrators have configured the environment to require admin approval before users can authorize third-party applications. This prevents users from connecting external apps that could access organizational data without oversight.
Whether admin consent is required depends on the permissions (scopes) you request when connecting your Microsoft account to the plugin.
When admin consent is usually not required
Most organizations allow users to connect third-party apps when only limited permissions are requested.
If you select Files.Read (read-only access) when connecting your account, admin consent is usually not required.
Files.Read is the least permissive scope the plugin can request and is accepted by most tenant policies.
In many cases, Files.ReadWrite (OneDrive write access) is also allowed without admin consent, depending on tenant configuration.
If you only need access to OneDrive files and do not need to modify SharePoint sites, you can usually connect the plugin using a non-admin account.
When admin consent is required
In general, most Microsoft Graph permissions that end with .All require tenant administrator consent. These permissions allow access to data beyond the signed-in user and are therefore considered high impact by Microsoft.
Common examples include:
Files.Read.AllFiles.ReadWrite.AllSites.Read.AllSites.ReadWrite.All
These scopes allow the plugin to access files or SharePoint content that the signed-in user can access across the tenant, which is why admin approval is usually required.
That said, consent policies can vary per organization. Some tenants may allow users to grant certain .All permissions without admin approval, while others may require admin consent even for more limited scopes. This behavior is fully controlled by your Microsoft 365 / Entra tenant configuration.
If you want to avoid admin consent, select the least permissive scope possible when connecting your account, such as Files.Read.
How to grant tenant-wide admin consent
If your setup requires permissions that need admin approval, follow these steps:
Sign out of all Microsoft accounts in your browser to avoid using the wrong account.
Start the account connection again from the plugin dashboard.
Sign in with a Microsoft 365 account that has Global Administrator or Application Administrator permissions.
On the permissions screen, review the requested Microsoft Graph permissions.
Enable the checkbox “Consent on behalf of your organization”.
Click Accept to grant tenant-wide consent.
Microsoft will redirect you back and confirm that consent was granted successfully.
Sign out of the admin account.
In the WordPress plugin, remove the admin account authorization.
Start the connection process again using your normal user account.
After this, the admin approval screen should no longer appear for users in the tenant.
Managing permissions later in Entra
Administrators can further review or restrict permissions at any time:
Open the Entra (Azure AD) admin center.
Go to Enterprise applications and select Share-one-Drive.
Review Permissions and Users & groups.
Modify or remove delegated or admin-granted permissions as needed.