elvex connects to Outlook, OneDrive, and SharePoint through Paragon, which registers an enterprise application named elvex in your Microsoft Entra (Azure AD) tenant. Before your users can connect these integrations, an admin needs to configure a few settings in Entra. If any of these are missing, users will see a "Need admin approval" screen β even if consent has already been granted.
π Looking for Microsoft Teams setup? See Installing the Microsoft Teams App.
Who this is for: Microsoft Entra administrators with a Global Administrator, Application Administrator, or Cloud Application Administrator role.
Before You Begin
A Global Administrator role is required for Steps 1 and 4.
Confirm your firewall or security tooling does not block
passport.useparagon.comβ this is the OAuth redirect host for elvex's Microsoft integrations.
Step 1 β Grant Tenant-Wide Admin Consent
Sign in to the Microsoft Entra admin center as a Global Administrator.
Navigate to Identity β Applications β Enterprise applications.
Search for and select elvex. If it doesn't appear, have any user attempt to connect a Microsoft integration in elvex once to create the registration, then return here.
In the left sidebar, click Permissions.
Click Grant admin consent for [your organization].
Sign in again when prompted and click Accept.
You should now see all delegated permissions listed under the Admin consent tab with your organization name in the "Granted by" column.
Step 2 β Configure User Assignment
In the elvex enterprise app, click Properties in the left sidebar.
Set Assignment required? based on your preference:
No (recommended) β any user in your tenant can connect elvex.
Yes β only users explicitly assigned can connect. Click Users and groups in the sidebar and add a security group containing all elvex users.
Click Save.
Step 3 β Check Conditional Access Policies
Conditional Access can silently block elvex's OAuth flow even after admin consent is granted, and the user sees the same "Need admin approval" screen either way.
Navigate to Microsoft Entra β Protection β Conditional Access β Policies.
Find any policy with Cloud apps set to Office 365, Microsoft Graph, or All cloud apps and State set to On.
For each such policy, check the Assignments β Users condition and confirm all elvex users are included β either directly or as direct members of an included group (nested group membership does not count).
Step 4 β Set User Consent Policy
Navigate to Enterprise applications β Consent and permissions β User consent settings.
Select Allow user consent for apps from verified publishers, for selected permissions.
Click Save.
π Note: This change can take a few minutes to propagate. If a user retries immediately and still fails, have them try in an incognito window before assuming the setting didn't take effect.
Step 5 β Optional: Enable Admin Consent Workflow
If you need a more restrictive consent policy, you can let users request admin approval rather than hitting a dead-end error screen.
Navigate to Enterprise applications β Consent and permissions β Admin consent settings.
Set Users can request admin consent to apps they are unable to consent to to Yes.
Add reviewers and configure notifications as needed.
Click Save.
Step 6 β Verify M365 License Assignment
Confirm each user has the license for the integration they want to connect:
Integration | Required license |
Outlook | Exchange Online |
OneDrive | OneDrive for Business / SharePoint Online |
SharePoint | SharePoint Online |
Onboarding New Users
Before a new user tries to connect, confirm:
They have an active Microsoft 365 account and the required license(s).
If "Assignment required" is Yes: they are a direct member of the assigned group.
They are included in any Conditional Access policy scoped to Microsoft Graph or Office 365.
They have access to elvex (they appear in your elvex company's user list).
Troubleshooting
The fastest way to diagnose a failed connection is Entra sign-in logs:
Navigate to Microsoft Entra β Monitoring β Sign-in logs.
Filter by the affected user and find the failed sign-in to the elvex application.
Read the Failure reason field.
Error code | Cause | Fix |
| User not in assigned group | Add user to the group, or set "Assignment required" to No |
| Admin consent missing | Re-run Step 1 |
| User consent policy too restrictive | Re-run Step 4 |
| Conditional Access blocked the sign-in | Add user to the group the CA policy requires (Step 3) |
| elvex enterprise app not yet created in tenant | Have a user attempt a connection in elvex, then re-run Step 1 |
| App ID mismatch | Contact elvex support |
When a single user can't connect but others can:
Check sign-in logs for the failure reason.
Compare the user's group membership side-by-side with a user who can connect. Add them to any group they're missing.
Have them retry in an incognito window to rule out cached consent state.
When the whole tenant can't connect:
Confirm admin consent has been granted and the date on elvex β Permissions is recent.
Confirm user consent is set to at least "Allow user consent for apps from verified publishers."
Confirm
passport.useparagon.comis not blocked by a firewall or security product.