Enterprise Admin Pre-Approval
A Microsoft MS365 Administrator with permissions to add and manage enterprise applications and their permissions can pre-approve the Colligo Applications for use inside their enterprise.
This has the added benefit that end users are not required to read and accept permissions themselves, or involve an administrator for each user approval.
The Colligo Applications use Delegated Consent - this means that they can only run as the end user that is actually using the application and cannot bypass or access anything outside this end users purview.
For more information on Microsoft permissions please see: https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview
This behaviour is particularly beneficial if as an enterprise you have used the Microsoft settings to control which enterprise applications users can add and also changed the Microsoft defaults so that end users cannot accept permissions themselves.
There are two suggested methods which can be used for Enterprise pre-approval
- Administrator Login to the Colligo Applications
- Direct URL acceptance of the permissions
Step 1
Colligo Administration Console Permissions
The first step of this process is to ensure that the Colligo Management Console can read your users basic information. This is how we license users and check they have access permissions to the application and to which groups they belong to. These permissions are basic read permission and shown in the pop-up Microsoft dialogue.
As a tenant administrative user with appropriate permissions to approve Enterprise Applications, you can simply try to authenticate to the Colligo Console. This process does not require you to have an o365 license for this user, just that the Microsoft Azure AD user has enough permission as it is the acceptance of the Microsoft permissions pop-up that stores the permissions record in the Microsoft Azure AD Systems (EntraID).
Access the admin console using the link provided by the Colligo team and you will be prompted to allow permission and can then choose to pre-accept on behalf of the organisation as below.
Alternative Approach
If you cannot for some reason log into the Colligo Administration Application, then it is also possible to use the direct permissions URL to trigger the permissions dialogue from Microsoft.
Colligo Admin Console Permissions Dialogue Trigger Link
Step 2
Administrator Login to the Colligo Applications
Each Colligo Application requires it's own set of permissions and is registered in your Tenant Enterprise Applications list directly (can be viewed in your Azure EntraID directory ).
Simplest Method
The simplest method is probably to access the Colligo Applications once they have been 'deployed' to your admin user. On first login to the applications as an admin user, you will be asked to confirm the permissions and you will also be able to 'accept on behalf of your organisation'. This removed the additional consent dialogue pop-up individually by each user.
This method is probably the simplest, but will only work if your tenant admin is licensed for the Microsoft services that it needs in order to use the Colligo Applications. (Exchange/Outlook, Word etc)
Alternative method for non licensed Admins and tenants restricted so end users cannot provide approval.
As a tenant admin with permission to approve application registration, access each of the URLs below for the application you will be using. Each Application will need to be done separately and will create an Enterprise Applications entry in your Entra ID (formerly Azure AD), with the permissions recorded as delegated and approved by the tenant admin.
To be clear, you are approving the application and then giving it permission to access data as the end user themselves. (This is referred to as Delegated permissions by Microsoft).
Application Permission Pre-Configuration Links
Colligo Email Manager (EMO)
Colligo Office Connect (COC)
Colligo Content Manager (CCM)
Colligo Content Manager for Teams (CCM-Teams)
Once the permissions for the applications you are using have been pre-approved, then end users should not be prompted for any further acceptance.