Mailboard AI
Mailboard AI
Features
Download
Plans
Support
Open web-app
For IT administrators

Admin consent for Microsoft 365

If your users see “Need admin approval” when they connect a Microsoft 365 account, an administrator can approve Mailboard AI once for the whole tenant. This page explains the permissions we request, our security posture, and the exact steps to grant consent in Microsoft Entra.

Why you are seeing this

When a user in your organization taps Sign in with Microsoft or Link Microsoft 365 in Mailboard AI, Microsoft Entra ID may require an administrator to approve the app before the user can continue. This is expected behaviour in tenants where user consent is restricted. As an administrator you can grant this approval once for the whole tenant, after which your users connect their inbox without any further prompts.

Mailboard AI uses standard Microsoft Entra (OAuth 2.0) sign-in. It requests delegated permissions only, which means it can act solely on behalf of the individual user who signed in and only for their own mailbox — it can never read another user's mail.

Permissions requested

Mailboard AI requests the minimum set of delegated Microsoft Graph permissions needed to place a user's important emails on their board and to let them reply:

  • Mail.Read — read the signed-in user's mail, so the app can classify incoming messages and pin the important ones to the board.
  • Mail.Send — send mail as the signed-in user, so replies and composed messages the user writes can be sent.
  • offline_access — obtain a refresh token so the user does not have to sign in again on every launch.
  • openid, profile, email, User.Read — basic sign-in: identify the account and read the user's own profile (name and email address) to label the inbox.

These are delegated permissions, not application permissions. Mailboard AI has no tenant-wide, background, or application-level access to any mailbox; it can only ever act within the scope of the user who is currently signed in.

Security posture

  • On-device processing. Email is read and classified on the user's own device. Inboxes, message bodies, and classification results are stored encrypted on the device — they are not kept on our servers.
  • Least privilege. The app requests read and send access to the signed-in user's mailbox only, plus basic sign-in. It does not request calendar, contacts, files, directory, or administrative scopes.
  • Data minimisation for AI. For automatic classification only the first 200 characters of a message, together with the sender and subject, are sent for processing. Full message text is sent only when the user explicitly asks for a summary or a reply draft. Email data is never used for advertising or to train AI models. See our privacy statement for details.
  • Microsoft Approved Partner. The Entra apps behind “Sign in with Microsoft” and “Link Microsoft 365” are validated through the Microsoft Approved Partner programme.
  • Revocable at any time. You can revoke consent for the whole tenant from the Microsoft Entra admin center, and individual users can revoke access for their own account, at any point.

Grant admin consent in Microsoft Entra

To approve Mailboard AI for everyone in your tenant:

  1. Sign in to the Microsoft Entra admin center with a Global Administrator (or Privileged Role Administrator / Cloud Application Administrator) account.
  2. Go to Identity → Applications → Enterprise applications.
  3. Find Mailboard AI in the list. If it is not there yet, ask one user to start the “Sign in with Microsoft” flow once — the app then appears under Enterprise applications for your tenant.
  4. Open the app and go to Security → Permissions.
  5. Select Grant admin consent for <your organization> and confirm. Review the delegated permissions listed above.
  6. Your users can now connect their Microsoft 365 inbox with no further approval prompts.

Alternatively, you can use the tenant-wide admin-consent link that the app presents on the “admin approval required” screen (or that we can supply on request). Opening that link while signed in as an administrator grants consent for the whole organization in a single step.

Enable the admin consent workflow

If you would rather keep user consent restricted but still let staff request access, enable the admin consent workflow. Users then see a Request approval button on Microsoft's sign-in page instead of a dead end, and a designated reviewer approves the request:

  1. In the Microsoft Entra admin center, go to Identity → Applications → Enterprise applications → Consent and permissions → Admin consent settings.
  2. Set Users can request admin consent to apps they are unable to consent to to Yes.
  3. Add one or more reviewers (users or groups) who will receive and act on the requests, and optionally set who is notified and how long requests stay valid.
  4. Save. When a user hits the approval wall for Mailboard AI, they can now submit a request that a reviewer approves — after which the app works for that user.

Need help?

If you have questions about the permissions, our security posture, or the consent process, contact us at support@mailboardai.com or via our contact page, and we will help you approve Mailboard AI for your organization.

Trusted Microsoft integration

We are a Microsoft Approved Partner

The “Sign in with Microsoft” and “Link Microsoft 365” features in Mailboard AI are built on Microsoft Entra apps that are validated through the Microsoft Approved Partner programme.

For domain administrators

  • The Microsoft Entra apps behind “Sign in with Microsoft” and “Link Microsoft 365” are validated with the Microsoft Approved Partner programme.
  • You can approve the app for your domain’s users from your Microsoft Entra admin center.
  • What it does: an AI reads incoming email on the user’s device, pins only the important messages to a board and sets the rest aside. It requests mail read/send access only — inboxes and classification data stay on the user’s device, never in our cloud.