Syncing your Microsoft mailbox, calendar, or meeting room is possible only when Recruitee has the proper permissions to access data in your Microsoft account. Depending on the settings in your organization, each user will be able to grant access by themselves during the syncing process, or they will need consent from a Microsoft Administrator.
Required permissions
The tables below summarize which permissions should be given to Recruitee so we can sync your emails, events, or rooms. The Recruitee app always accesses the data on behalf of a user (i.e., via delegated access).
Mailbox sync
Permission | Description |
offline_access | Allows the app to see and update the data you gave access to, even when you are not currently using it. |
User.Read | Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. |
Mail.Send | Allows the app to send emails as you. |
Mail.ReadWrite | Allows the app to read, update, create, and delete emails in your mailbox. It does not include permission to send mail. |
Allows the app to read your primary email address. | |
openid | Allows the app to receive your unique identifier in the form of a sub-claim. The permission also gives the app access to the UserInfo endpoint. The openid scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication. |
Calendar sync
Permission | Description |
offline_access | Allows the app to see and update the data you gave access to, even when you are not currently using it. |
user.read | Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information.
|
calendars.readwrite | Allows the app to read, update, create, and delete events in your calendars.
|
Meeting rooms sync
Permission | Description |
offline_access | Allows the app to see and update the data you gave access to, even when you are not currently using it. |
user.readbasic.all | Allows the app to read a basic set of profile properties of other resources in your organization on your behalf. Includes display name, first and last name, email address, and photo. |
A full description of the permissions can be found in the Microsoft help center: https://learn.microsoft.com/en-us/graph/permissions-reference.
Granting permissions
You can grant Recruitee permission to access your data by various methods. It is up to you which way works best for your organization. The following scenario shows the consent flow for default settings in the Microsoft Entra ID, i.e., when all users in your organization can register new apps and consent for any app to access the organization's data. As indicated by Microsoft, the setting might cause a potential risk in some situations.
⚠️ It is your responsibility to choose settings in Microsoft Entra ID that ensure the security of your organization’s data.
2. You will be redirected to the Microsoft Sign-in page.
3. Provide your credentials and click Sign in.
4. You’ll be asked to accept permissions.
In case you use an Administrator account, you will be able to grant admin consent by checking the Consent on behalf of your organization option
5. Click Accept.
6. You’ll be redirected back to Recruitee to finish your syncing flow
7. The Recruitee enterprise application will be automatically created in your Microsoft Entra ID admin center. In the Permissions tab, you will see which permission the user(s) or admin(s) consented to.
Troubleshooting
If a user in your organization has trouble syncing their resources with Recruitee, their sync is intermittent, or is constantly disconnecting. It could be that your Microsoft Entra ID setup prevents you from granting the application the required permissions or that the permissions have been revoked.
Check and adjust your Microsoft Entra ID settings by following the steps below. If you already have multiple Recruitee enterprise applications registered in your Microsoft Entra ID admin center, remember to review all of them.
⚠️ Before changing anything in your Microsoft Entra ID Admin Center, ensure the new settings meet your organization's security requirements. Review the changes with your Information Security Officer in case of any doubts.
If you haven’t found a solution to your problem, please visit the Microsoft Entra ID help center or contact Microsoft support.
General settings
Verify user consent settings in your tenant
1. Log in to the Microsoft Entra ID Admin Center.
2. Go to Microsoft Entra admin center.
3. Click Identity > Applications > Enterprise applications > Consent and permissions
4. Click User consent settings.
5. Decide by which method applications (including Recruitee) can be granted permission to your organization’s data:
select Allow user consent for apps if you want users to be able to consent for themselves
select Do not allow user consent if you want the process to be controlled by administrators
6. Click Save.
Decide if user assignment should be required
1. Log in to the Microsoft Entra ID Admin Center.
2. Go to Microsoft Entra admin center.
3. Click Identity > Applications
4. Click Enterprise applications
5. Select the Recruitee app.
6. Go to Properties.
Suppose you set the Assignment required option to YES. In that case, you need to specify which users from your organization should be able to sync resources with Recruitee:
1. Go to Users and Groups in the Recruitee enterprise application’s settings.
2. Click Add user/group.
3. Go to the Users or Select a role section.
4. Choose users/roles from the list
5. Click Select.
6. Click Assign.
Users outside the list won’t be able to sync their resources with Recruitee. Change the Assignment required option to NO to allow access for other users in your organization.
Review Policies in your tenant
1. Log in to the Microsoft Entra ID Admin Center.
2. Go to Microsoft Entra ID.
3. Click Enterprise applications in the side menu.
4. Click Conditional Access.
5. Click Policies.
6. Review if any policies prevent granting the required permissions for Recruitee.
When users can grant permissions to apps
Review this section if you’ve selected the Allow user consent for apps option in the User consent settings.
Enable app registration by users
This option allows users to register new applications in your tenant
1. Log in to the Microsoft Entra ID Admin Center.
2. Go to Microsoft Entra admin center > Identity
3. Click Users.
4. Click User settings
5. In the App registrations section, select YES
6. Click Save.
Enable user consent to apps
1. Log in to the Microsoft 365 admin center
2. Go to Settings in the side menu
3. Click Org settings.
4. In the Services tab, click User consent to apps.
5. Select the checkbox.
6. Click Save.
When only an admin can grant permissions to apps
Review this section if you’ve selected the Do not allow user consent option in the User consent settings.
Allow users to ask for an admin’s consent
If your users can’t consent by themselves, they might still be able to ask for an admin’s consent
1. Log in to the Microsoft Entra ID Admin Center.
2. Go to Microsoft Entra admin center > Identity > Applications
3. Click Enterprise applications in the side menu.
4. Click Consent and Permissions.
5. Click Admin consent settings.
6. Set Admin consent requests to YES and select Reviewers if you want your users to be able to request admin consent for apps they cannot consent to by themselves
7. Click Save.
8. Your users will see the Approval required message when syncing resources with Recruitee
9. Reviewers will be able to accept the request in Microsoft Entra ID > Enterprise applications > Access reviews.
If you set the Admin consent requests option to NO, the users will see a Need admin approval error and won’t be able to ask for an admin’s consent.
Grant admin consent on behalf of the organization
1. Log in to the Microsoft Entra ID Admin Center.
2. Go to Microsoft Entra admin center > Identity > Applications
3. Click Enterprise applications in the side menu.
4. Click the Recruitee app.
5. Click Permissions.
6. Click Grant admin consent for {your organization’s name}.
7. Log in with your admin account
8. You’ll be asked to accept the requested permissions.
9. Click Accept.
10. Users won’t be asked for consent when syncing resources with Recruitee.