OneNote Web Clipper requires Admin Consent in Azure AD – No user can use it

When you would like to use “OneNote Web Clipper”, a very useful Microsoft Edge extension, in your company environment in combination with O365 Integrated Apps disabled, then you will face the problem, that just Global Admins can use it. This is because the application requires consent to access user data per user. And if you do not provide this right to you users, then they are not allowed to use the application.

Prerequisites

  • Integrated Apps are disabled
    So, if you have enabled the following Setting “When Integrated Apps is turned on, users in your organization can allow third-party apps to access their Office 365 information. “, then you should not have the described problem.
  • The users receive the following error message:

    “OneNote Web Clipper needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.”

Solution

I searched a while and found a solution myself because most of the forum feedbacks where more ore less useless or just suggested to turn Integrated Apps on. Here is a Step-By-Step guide to do it in your environment:

The configuration starts by installing the web clipper on the first device.
After the Installation was done, you will get the following popup in Edge. Just click on turn it on
Then the extension is active and you can login with your work or school account.
This will open the following URL in a new window:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=9322f837-c8f8-4796-9aef-1677748fe553&redirect_uri=https%3a%2f%2fwww.onenote.com%2fwebclipper%2fauth&response_type=code&msafed=0&prompt=login&response_mode=query&state=e2b8b711-c65b-e0ff-9de7-ae1f00be557a&sso_nonce=AQABAAAAAABHh4kmS_aKT5XrjzxRAtHz_jeFLPNywiXj13kkQ-FCkAS_JMGyQfjlqrFwAX_QS2d6MmtszNCQEalGkgcoxd45zA4kNVGt-XM9egZ98b_fPyAA&client-request-id=db487341-e220-46bb-9212-416ba8b1e132&mscrid=db487341-e220-46bb-9212-416ba8b1e132

The main issue happens here, it does not request admin consent, just user consent.

You can do that by just copying the URL which is generated in your environment from the popup and change the parameter “prompt=login” to “prompt=admin_consent”:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=9322f837-c8f8-4796-9aef-1677748fe553&redirect_uri=https%3a%2f%2fwww.onenote.com%2fwebclipper%2fauth&response_type=code&msafed=0&prompt=admin_consent&response_mode=query&state=e2b8b711-c65b-e0ff-9de7-ae1f00be557a&sso_nonce=AQABAAAAAABHh4kmS_aKT5XrjzxRAtHz_jeFLPNywiXj13kkQ-FCkAS_JMGyQfjlqrFwAX_QS2d6MmtszNCQEalGkgcoxd45zA4kNVGt-XM9egZ98b_fPyAA&client-request-id=db487341-e220-46bb-9212-416ba8b1e132&mscrid=db487341-e220-46bb-9212-416ba8b1e132

or you can just use this generic one:

 

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=9322f837-c8f8-4796-9aef-1677748fe553&redirect_uri=https%3a%2f%2fwww.onenote.com%2fwebclipper%2fauth&prompt=admin_consent

 

With that you grant all the consent which is needed for all users in your organization. Because it contains access to various data location, you should think twice before doing it.

After that you can verify in Azure AD that the permission is granted for all users. For this you must navigate to the enterprise application list in Azure AD and search for the OneNote Web Clipper app.
Then you will se the detailed permissions in the permission blade.

I hope this will help others in the same situation as I was. Have a nice day …

Thomas Kurth
Follow me

Thomas Kurth

Principal Workplace Consultant at baseVISION AG
I’m a consultant, trainer and architect for workplace management and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

MCSEMCTCMCE
Thomas Kurth
Follow me