Audience: Microsoft Entra ID / Azure administrators
Time required: 5–10 minutes
Overview
Jiminny is registered as a multi-tenant application in Microsoft Entra ID. To integrate it with your organization's Office 365 environment, an Entra ID administrator must grant tenant-wide admin consent. This creates a service principal for Jiminny in your Entra ID tenant, which represents the application locally and controls which delegated permissions it can use on behalf of your users.
This guide walks you through that consent process and explains the permissions involved.
Before You Begin
To complete this setup, you'll need:
Microsoft Entra ID administrator with one of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator. Any of these roles can grant tenant-wide admin consent for Jiminny because it uses only delegated permissions (not application permissions). Global Administrator is the most common role used for this step.
An active Microsoft 365 / Office 365 subscription for your organization
Your Jiminny account must already be provisioned. Contact your Jiminny Account Manager if you're unsure
Tip: Not sure which Entra role you have? In the Microsoft Entra admin center, go to Users > Your profile > Assigned roles.
Which Consent Method Should You Use?
Jiminny supports two consent flows, which map to standard Entra ID consent patterns:
| Pre-authorization (Recommended)
| User Consent |
Entra ID concept | Tenant-wide admin consent | Admin consent workflow (per-user approval) |
Best for | Most organizations | Organizations with strict app-approval policies |
How it works | An administrator (Global Admin, Cloud Application Admin, or Application Admin) grants consent once, on behalf of all (or selected) users. This creates the Jiminny service principal in your tenant with all required delegated permissions pre-approved. | Each user requests access individually; an administrator reviews and approves each request via the Entra admin consent workflow. |
User experience | Seamless - users are never prompted for consent | Users see an "approval required" screen and must wait for admin approval |
Ongoing admin effort | Low - one-time setup | Higher - admin must review and approve each request |
Requires Jiminny support? | No | Yes - contact support to enable this mode |
We recommend Pre-authorization for most organizations. It's faster to set up and provides a smoother experience for your team.
Option 1: Pre-authorization (Recommended)
With pre-authorization, you grant tenant-wide admin consent by clicking a consent link. Each link triggers the standard Microsoft Entra admin consent flow, which:
Creates a service principal for Jiminny in your tenant (if one doesn't already exist)
Grants the specified delegated permissions on behalf of all users in your organization
Stores the consent grant on the service principal so users are never individually prompted
Step 1: Choose which consent links to use
Click the links below that match the Jiminny features your organization uses. You must be signed in as a Global Administrator, Cloud Application Administrator, or Application Administrator when clicking these links. Each link requests a different set of Microsoft Graph API delegated scopes (see the Permissions section below for details).
Consent link | Scopes granted | When to use it |
Authentication scopes only | Only if Jiminny is configured to not use Notetaker | |
+ | If using Calendar Sync / Auto Notetaker (most common) | |
+ | If using Email Sync | |
+ Teams scopes | If using Teams notifications and sharing | |
All Jiminny scopes | Enable all features at once (recommended) |
Not sure which to pick? Use "Grant access to all recommended resources", which covers all current Jiminny features and is the simplest option. You can review the specific permissions each scope grants in the Permissions section below.
Step 2: Confirm consent
After clicking a link, Microsoft will show the standard Entra admin consent prompt listing the delegated permissions Jiminny is requesting. Review the permissions and click Accept.
Behind the scenes, this creates (or updates) the Jiminny service principal in your tenant with the consented permissions. On success, you'll be redirected to the Jiminny application. Your users can now sign in without being prompted for additional consent.
Step 3 (Optional): Restrict access to specific users or groups
By default, tenant-wide admin consent allows all users in your tenant to use the Jiminny application. If you'd like to restrict access to specific people or groups, you can enable user assignment on the Jiminny service principal:
Sign in to the Microsoft Entra admin center
Navigate to Identity > Applications > Enterprise applications
Search for and select Jiminny from the application list
In the left sidebar, select Properties, and set Assignment required? to Yes (this ensures only explicitly assigned users can access the app)
Go to Users and groups in the left sidebar
Click Add user/group
Select the users or Entra ID security groups you want to grant access to, then click Assign
Note: The Jiminny service principal only appears in your Enterprise applications list after the first consent is granted (Step 1). If you don't see it, complete Step 1 first.
Option 2: User Consent (Ad-hoc Approval)
Use this method if your organization's Entra ID consent settings are configured to require admin approval for third-party applications (i.e., you've disabled user consent or configured the admin consent workflow).
With this flow, the Jiminny service principal is created in your tenant when the first user requests consent, but delegated permissions are not granted until an administrator explicitly approves each request.
Step 1: Contact Jiminny support
Email your Jiminny Account Manager or contact support to request that User Consent mode is enabled for your Jiminny instance. This is a one-time configuration change on Jiminny's side that adjusts how the consent prompt is presented to your users.
Step 2: Users request access
Once User Consent mode is enabled, users who sign in to Jiminny will be redirected to the Microsoft identity platform consent endpoint. If your tenant's consent policy prevents them from granting the required delegated scopes themselves, they'll see an option to request admin approval, which submits the request to the Entra admin consent workflow.
Step 3: Review and approve requests
As a Global Administrator, Cloud Application Administrator, or Application Administrator, you can review pending consent requests:
Sign in to the Microsoft Entra admin center
Navigate to Identity > Applications > Enterprise applications
In the left sidebar, select Admin consent requests
Review and approve or deny each pending request. Approving grants the delegated permissions for that user
What Permissions Does Jiminny Request?
All permissions listed below are delegated permissions (not application permissions). This means Jiminny can only access data on behalf of a signed-in user. It cannot access data in the background across your entire tenant. Each scope is limited to the data of the user who has signed in.
Always required (Authentication & Identity)
Scope | Type | What it allows |
| OpenID Connect | Identify the user during sign-in |
| OpenID Connect | Read the user's email address for authentication |
| OpenID Connect | Read the user's display name |
| OAuth 2.0 | Issue a refresh token so Jiminny can maintain the connection without requiring the user to re-authenticate |
Calendar (for Notetaker / Calendar Sync)
Scope | Type | What it allows |
| Microsoft Graph (delegated) | Read the signed-in user's calendar to import relevant meetings; write access is used to update events when using Jiminny's Explicit Consent Mode |
| Microsoft Graph (delegated) | Read online meeting details for the signed-in user; write access is used to create meetings when using Explicit Consent Mode |
Microsoft Teams (for sharing and notifications)
Scope | Type | What it allows |
| Microsoft Graph (delegated) | Read basic channel info in teams the signed-in user belongs to, for sharing Jiminny activity |
| Microsoft Graph (delegated) | Send messages to Teams channels on behalf of the signed-in user |
| Microsoft Graph (delegated) | Create 1:1 or group chats on behalf of the signed-in user |
| Microsoft Graph (delegated) | Send chat messages on behalf of the signed-in user |
| Microsoft Graph (delegated) | Read basic team info for teams the signed-in user belongs to |
Email (for Email Sync)
Scope | Type | What it allows |
| Microsoft Graph (delegated) | Read the signed-in user's email messages (read-only, Jiminny cannot send, modify, or delete emails) |
Important: Although Mail.Read grants access to a user's mailbox, Jiminny only processes emails where the sender or recipient matches a CRM account or lead. Emails that don't match are discarded and never stored in Jiminny's systems. See our Technical Details article for more information on data filtering and retention.
What Jiminny does NOT access: Jiminny does not request application-level permissions and cannot access data without a user being signed in. It does not access OneDrive, SharePoint, contacts, or any other Microsoft 365 service beyond what is listed above. It cannot send, modify, or delete emails. Calendar write access is only used for Explicit Consent Mode features. If you don't use Explicit Consent Mode, calendars are effectively read-only.
Troubleshooting
"The signed-in user is not assigned to a role for the application"
This error occurs when user assignment is required on the Jiminny service principal, but the signed-in user hasn't been assigned. Check the service principal's properties: in the Entra admin center, go to Identity > Applications > Enterprise applications > Jiminny > Properties and verify whether Assignment required? is set to Yes. If so, add the user under Users and groups (see Option 1, Step 3).
"Need admin approval" prompt
This appears when your tenant's consent policy prevents users from granting delegated permissions to third-party apps themselves. This is controlled by your Entra ID user consent settings. To resolve:
Use Option 1 (Pre-authorization) to grant tenant-wide admin consent, or
Use Option 2 (User Consent) and approve the pending request in the Entra admin center under Admin consent requests
Jiminny doesn't appear in Enterprise Applications
The Jiminny service principal is created in your tenant only after the first admin consent is granted. If you haven't completed Option 1 Step 1 yet, the application won't appear in your Enterprise applications list. Complete the consent flow first.
Users granted consent but still can't log in
Verify whether Assignment required? is set to Yes on the Jiminny service principal. If so, check that the user is listed under Users and groups
Verify the consent grant is in place: go to Enterprise applications > Jiminny > Permissions and confirm the delegated permissions are listed
Clear the browser cache and try again, or use an incognito/private window
If the issue persists, contact Jiminny support
FAQs
Q: Is my data secure? A: Yes. Consent only grants Jiminny the minimum access needed to perform its functions. All data is transmitted securely, and emails or calendar data that don't match your CRM are never stored.
Q: What is Jiminny's Application (Client) ID? A: 3bcad3f8-39bc-495b-b118-04d692e0bb31
Q: Can I revoke consent later? A: Yes. You have two options: to revoke specific permissions, go to Enterprise applications > Jiminny > Permissions and revoke individual consent grants. To fully remove the integration, delete the Jiminny service principal from Enterprise applications > Jiminny > Properties > Delete, which removes all consent grants and user assignments.
Q: What type of permissions does Jiminny use? A: Jiminny uses delegated permissions only (not application permissions). This means it can only act on behalf of a signed-in user and is limited to that user's data. It does not have tenant-wide background access to mailboxes or calendars.
Q: Does granting consent give Jiminny access to all our users' data? A: No. Tenant-wide admin consent means users won't be individually prompted, but Jiminny still only accesses data when a user actively signs in. The delegated permission model means Jiminny operates within the context of each individual user session.
Next Steps
Email Sync details: Office 365 Email Sync: What Admins Need to Know
Technical details: Office 365 Integration: Technical Details
Login issues: Not Able to Login with Microsoft Office365