When you would like to use “OneNote Web Clipper”, a very useful Microsoft Edge extension, in your company environment in combination with O365 Integrated Apps disabled, then you will face the problem, that just Global Admins can use it. This is because the application requires consent to access user data per user. And if you do not provide this right to you users, then they are not allowed to use the application.
Prerequisites
- Integrated Apps are disabled
So, if you have enabled the following Setting “When Integrated Apps is turned on, users in your organization can allow third-party apps to access their Office 365 information. “, then you should not have the described problem.
-
The users receive the following error message:
“OneNote Web Clipper needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.”
Solution
I searched a while and found a solution myself because most of the forum feedbacks where more ore less useless or just suggested to turn Integrated Apps on. Here is a Step-By-Step guide to do it in your environment:
 |
The configuration starts by installing the web clipper on the first device. |
 |
After the Installation was done, you will get the following popup in Edge. Just click on turn it on |
 |
Then the extension is active and you can login with your work or school account. |
 |
This will open the following URL in a new window:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9322f837-c8f8-4796-9aef-1677748fe553&redirect_uri=https%3a%2f%2fwww.onenote.com%2fwebclipper%2fauth&response_type=code&msafed=0&prompt=login&response_mode=query&state=e2b8b711-c65b-e0ff-9de7-ae1f00be557a&sso_nonce=AQABAAAAAABHh4kmS_aKT5XrjzxRAtHz_jeFLPNywiXj13kkQ-FCkAS_JMGyQfjlqrFwAX_QS2d6MmtszNCQEalGkgcoxd45zA4kNVGt-XM9egZ98b_fPyAA&client-request-id=db487341-e220-46bb-9212-416ba8b1e132&mscrid=db487341-e220-46bb-9212-416ba8b1e132
The main issue happens here, it does not request admin consent, just user consent. |
 |
You can do that by just copying the URL which is generated in your environment from the popup and change the parameter “prompt=login” to “prompt=admin_consent”:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9322f837-c8f8-4796-9aef-1677748fe553&redirect_uri=https%3a%2f%2fwww.onenote.com%2fwebclipper%2fauth&response_type=code&msafed=0&prompt=admin_consent&response_mode=query&state=e2b8b711-c65b-e0ff-9de7-ae1f00be557a&sso_nonce=AQABAAAAAABHh4kmS_aKT5XrjzxRAtHz_jeFLPNywiXj13kkQ-FCkAS_JMGyQfjlqrFwAX_QS2d6MmtszNCQEalGkgcoxd45zA4kNVGt-XM9egZ98b_fPyAA&client-request-id=db487341-e220-46bb-9212-416ba8b1e132&mscrid=db487341-e220-46bb-9212-416ba8b1e132
or you can just use this generic one:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=9322f837-c8f8-4796-9aef-1677748fe553&redirect_uri=https%3a%2f%2fwww.onenote.com%2fwebclipper%2fauth&prompt=admin_consent
With that you grant all the consent which is needed for all users in your organization. Because it contains access to various data location, you should think twice before doing it. |
 |
After that you can verify in Azure AD that the permission is granted for all users. For this you must navigate to the enterprise application list in Azure AD and search for the OneNote Web Clipper app. |
 |
Then you will se the detailed permissions in the permission blade. |
I hope this will help others in the same situation as I was. Have a nice day …
- Microsoft Sentinel ASIM Parser demystified - March 31, 2024
- Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel - March 10, 2024
- Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel - February 6, 2024
0 Comments