When you try to connect your calendar or email to Garba, Microsoft may show a dialog saying "Need admin approval" instead of letting you continue. This is not a problem with your Garba account — your organization's Microsoft 365 settings require an IT administrator to approve new applications before employees can use them. The fastest fix is a one-time approval link, described below. Send this article to your IT administrator.
You need a Microsoft Entra ID role that can grant tenant-wide consent, for example Global Administrator or Cloud Application Administrator. Click the link that matches what your team will use, sign in with your admin account, review the permissions, and click Accept. This grants the approval for your whole organization in one step — each employee still has to connect their own account afterwards.
Calendar and email (recommended): Approve calendar and email access
Calendar only: Approve calendar access
Email only: Approve email access
All links lead to login.microsoftonline.com — Microsoft's official sign-in service. The application shown on the consent screen is Garba, with application (client) ID 7464a501-c08d-4606-a87a-c1cc98cb9434.
openid, profile, email, offline_access — standard sign-in permissions. They let Garba identify the user and keep the connection active without asking them to sign in again every day.
Calendars.Read — read-only access to the user's calendar, so Garba can show upcoming meetings and let the user invite the Garba notetaker to them. Garba never creates, changes, or deletes calendar events.
Mail.Read — read access to the user's email, used to give Garba's AI context about ongoing customer conversations.
Mail.Send — lets a user send an email from within Garba (for example a follow-up they drafted with Garba's AI) from their own address. Emails are only sent when the user explicitly chooses to send them.
All of these are delegated permissions: approving them does not give Garba access to anyone's data by itself. Garba can only access the calendar or mailbox of employees who personally connect their account inside Garba, and each employee can disconnect at any time.
Sign-in via Entra ID (OAuth 2.0 / OIDC) — users authenticate against your own tenant using the authorization code flow with refresh tokens (offline_access). Garba never handles user credentials, and your Conditional Access policies apply fully since everything goes through standard OIDC against your tenant.
Delegated permissions only — never application permissions — every permission applies in the context of the signed-in user. No app roles or service principals with tenant-wide data access are created.
Calendar access is strictly read-only — the only calendar scope is Calendars.Read. Garba has no Calendars.ReadWrite or any other write permission, so the integration is technically incapable of creating, modifying, or deleting calendar events. From the calendar, Garba reads meeting metadata — title, time, participants, and meeting link — to determine which meetings the notetaker should join.
Email access is separate and opt-in — the calendar connection grants no mail access. Mail.Read and Mail.Send are only requested when a user connects the email feature.
Fully revocable — each user can disconnect in Garba at any time, and you can revoke access centrally in Microsoft Entra.
Summary for IT:
Property | Value |
Permission type | Delegated (per user) |
Calendar scope | Calendars.Read (read-only) |
Email scopes | Mail.Read, Mail.Send (only if email is used) |
Tenant-wide data access | No |
Calendar write permission | None |
Revocable | Yes — by the user in Garba or centrally in Entra |
Each user goes back to Garba and opens the calendar (or email) connection step again — either from onboarding or from User Settings → Integrations.
They click Connect and sign in with their Microsoft account.
The connection now completes immediately — no approval dialog.
If a user still sees "Need admin approval" after the admin has accepted, ask them to sign out of Garba and try again, and double-check that the approval was granted in the same Microsoft 365 tenant the user signs in with. Still stuck? Contact us through the chat bubble in Garba and we'll help out.
