Allow Microsoft users to connect their mailbox without repeated admin approval

Overview

When users connect their Microsoft 365 mailbox to timetoreply, Microsoft may request consent for the permissions timetoreply needs to access mailbox data.

In organizations where users are not permitted to grant application consent themselves, each mailbox connection can generate a separate admin approval request.

If you want users to continue connecting their own mailboxes, but want to avoid approving each connection individually, you can create a custom Microsoft Entra app consent policy for timetoreply.

This allows selected users or groups to grant consent for timetoreply during the normal mailbox connection process, while restricting consent to only the approved timetoreply permissions.

What this configuration allows

Users assigned to the policy can:

Connect their own mailbox to timetoreply.
Approve the required timetoreply permissions during mailbox connection.
Grant consent only for themselves.

This configuration does not:

Grant administrator privileges.
Allow users to approve arbitrary third-party applications.
Give timetoreply access to all mailboxes in your Microsoft 365 tenant.

Each mailbox must still be connected individually by the mailbox owner.

timetoreply Microsoft application ID

Use the following Microsoft application (client) ID when configuring the policy:

ca7f3ddb-4052-4e29-a3e1-9bef37e1bf4f

Choose the correct permission set

timetoreply uses one of two Microsoft Graph permission sets depending on your organization's configuration.

Option 1: Standard mailbox connection

Use this option if email body ingestion is not enabled in timetoreply.

This permission set allows timetoreply to read mailbox metadata only. It does not provide access to email body content, preview text, attachments, or extended properties.

Required permissions:

offline_access User.Read Mail.ReadBasic

Option 2: Mailbox connection with email body ingestion

Use this option if email body ingestion is enabled in timetoreply.

This permission set allows timetoreply to read the signed-in user's mailbox, including email body content required for body-based features.

Required permissions:

offline_access User.Read Mail.Read

Optional: Calendar sync

If your organization uses timetoreply calendar sync, also include:

Calendars.Read

You can add this permission to either mailbox permission set.

Prerequisites

Before starting, ensure you have:

Microsoft Graph PowerShell installed.
A Microsoft Entra administrator account with permission to manage app consent policies and directory roles.
Permission to assign users or groups to custom Microsoft Entra roles.

Connect to Microsoft Graph

Open PowerShell and connect to Microsoft Graph:

Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant", "RoleManagement.ReadWrite.Directory", "Application.Read.All"

Step 1: Define the timetoreply permission set

First define the Microsoft Graph application ID and the timetoreply application ID:

# Microsoft Graph resource application ID $msGraphAppId = "00000003-0000-0000-c000-000000000000"  # timetoreply Microsoft application/client ID $timetoreplyClientAppId = "ca7f3ddb-4052-4e29-a3e1-9bef37e1bf4f"

Next, choose the permission set that matches your timetoreply configuration.

Standard mailbox connection

$scopeNames = @(     "offline_access",     "User.Read",     "Mail.ReadBasic" )

Mailbox connection with email body ingestion

$scopeNames = @(     "offline_access",     "User.Read",     "Mail.Read" )

Include calendar sync (optional)

For standard mailbox connections:

$scopeNames = @(     "offline_access",     "User.Read",     "Mail.ReadBasic",     "Calendars.Read" )

For mailbox connections with email body ingestion:

$scopeNames = @(     "offline_access",     "User.Read",     "Mail.Read",     "Calendars.Read" )

Step 2: Resolve the Microsoft Graph delegated permission IDs

Run the following commands:

$msGraph = Get-MgServicePrincipal -Filter "appId eq '$msGraphAppId'"  $scopeIds = $msGraph.Oauth2PermissionScopes |     Where-Object { $scopeNames -contains $_.Value } |     Select-Object -ExpandProperty Id

To verify the resolved permissions:

$msGraph.Oauth2PermissionScopes |     Where-Object { $scopeNames -contains $_.Value } |     Select-Object Value, Id

Step 3: Create the custom app consent policy

Create a dedicated consent policy for timetoreply:

$policyId = "timetoreply-user-consent-policy" $policyName = "timetoreply user consent policy" $policyDescription = "Allows assigned users to grant consent for the timetoreply application for approved Microsoft Graph delegated permissions."  New-MgPolicyPermissionGrantPolicy `     -Id $policyId `     -DisplayName $policyName `     -Description $policyDescription

Step 4: Add the timetoreply consent rule

Create an include rule that permits only the timetoreply application to request the selected Microsoft Graph delegated permissions:

New-MgPolicyPermissionGrantPolicyInclude `     -PermissionGrantPolicyId $policyId `     -PermissionType "delegated" `     -PermissionClassification "all" `     -ClientApplicationIds @($timetoreplyClientAppId) `     -Permissions $scopeIds `     -ResourceApplication $msGraph.AppId

Step 5: Create a custom Microsoft Entra role

Create a role that allows users to grant consent for themselves under the timetoreply policy:

$roleDisplayName = "timetoreply mailbox users" $roleDescription = "Allows assigned users to grant consent to timetoreply on behalf of themselves only." $templateId = (New-Guid).Guid  $rolePermissions = @{     allowedResourceActions = @(         "microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.$policyId"     ) }  New-MgRoleManagementDirectoryRoleDefinition `     -DisplayName $roleDisplayName `     -Description $roleDescription `     -TemplateId $templateId `     -IsEnabled:$true `     -RolePermissions $rolePermissions

Step 6: Assign users or groups to the role

In the Microsoft Entra admin center:

Go to Identity.
Select Roles & admins.
Search for the custom role (for example, timetoreply mailbox users).
Open the role.
Select Add assignments.
Add the users or groups that should be allowed to connect their own mailbox to timetoreply.

For easier administration, consider assigning a group rather than individual users.

Step 7: Connect mailboxes

After role assignments have propagated, users can return to timetoreply and connect their Microsoft mailbox.

Users may still see the Microsoft consent screen, but they should be able to approve the timetoreply permissions themselves without generating a new admin approval request.

Verify the configuration

List existing app consent policies:

Get-MgPolicyPermissionGrantPolicy | Format-Table Id, DisplayName, Description

View the include rules for the timetoreply policy:

Get-MgPolicyPermissionGrantPolicyInclude `     -PermissionGrantPolicyId "timetoreply-user-consent-policy" |     Format-List

Remove the configuration

If you no longer need this setup:

Remove all assignments from the custom role.
Delete the app consent policy.

Remove-MgPolicyPermissionGrantPolicy `     -PermissionGrantPolicyId "timetoreply-user-consent-policy"

You can then remove the custom role from Roles & admins in Microsoft Entra.

Additional notes

This approach is more restrictive than granting tenant-wide admin consent.

Users can consent:

Only for themselves.
Only to the timetoreply application.
Only for the Microsoft Graph delegated permissions defined in the policy.

For standard mailbox connections, timetoreply uses Mail.ReadBasic, which excludes email body content, preview body content, attachments, and extended properties.

If email body ingestion is enabled, timetoreply uses Mail.Read so that body-based features can function correctly.

If your organization requires centralized approval for every application permission grant, you should continue using the standard Microsoft admin approval workflow and approve timetoreply requests manually.