Skip to content
English
Go to timetoreply.com
  • There are no suggestions because the search field is empty.

Allow users to connect Microsoft 365 mailboxes without repeated admin approval

If your Microsoft Entra tenant restricts user consent to third-party applications, users may be unable to connect their Microsoft 365 mailbox to timetoreply without administrator approval.

This article explains how to create a custom Microsoft Entra consent policy that allows selected users to approve timetoreply access to their own mailbox without generating a new admin approval request each time.

Overview

When a user connects their Microsoft 365 mailbox to timetoreply, Microsoft may display a consent screen requesting permission for timetoreply to access mailbox data.

In organizations where user consent is disabled, each mailbox connection can generate an administrator approval request.

To avoid approving mailbox connections individually while still maintaining control, you can create a custom Microsoft Entra app consent policy that:

  • Allows selected users or groups to consent to the timetoreply application.
  • Restricts consent to specific Microsoft Graph delegated permissions.
  • Limits consent to the user's own mailbox.

What this configuration does

Users assigned to the policy can approve timetoreply access during the normal mailbox connection process.

This configuration:

  • Allows assigned users to connect their own mailbox.
  • Does not grant administrator privileges.
  • Does not allow users to approve other third-party applications.
  • Does not grant timetoreply access to all mailboxes in your Microsoft 365 tenant.

Each mailbox must still be connected individually by the mailbox owner.

timetoreply Microsoft application ID

Use the following Microsoft application (client) ID when creating the policy:

ca7f3ddb-4052-4e29-a3e1-9bef37e1bf4f 
Choose the correct permission set

timetoreply uses different Microsoft Graph permissions depending on your configuration.

Standard mailbox connection

Use this option if Email Body Ingestion is not enabled.

Permissions:

offline_access User.Read Mail.ReadBasic

Mail.ReadBasic allows timetoreply to access mailbox metadata only. It does not provide access to:

  • Email body content
  • Preview body content
  • Attachments
  • Extended properties

Mailbox connection with Email Body Ingestion

Use this option if Email Body Ingestion is enabled.

Permissions:

offline_access User.Read Mail.Read

Mail.Read allows timetoreply to access email body content so body-based features can function correctly.

Optional: Calendar Sync

If your organization uses calendar synchronization, add:

Calendars.Read

This permission can be added to either mailbox permission set.

Prerequisites

Before you begin, ensure you have:

  • Microsoft Graph PowerShell installed.
  • A Microsoft Entra administrator account with permission to manage app consent policies and directory roles.
  • Permission to assign users or groups to custom Microsoft Entra roles.
Connect to Microsoft Graph

Open PowerShell and connect to Microsoft Graph:

Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant", "RoleManagement.ReadWrite.Directory", "Application.Read.All" 
Step 1: Define the application IDs

Set the Microsoft Graph and timetoreply application IDs:

# Microsoft Graph resource application ID $msGraphAppId = "00000003-0000-0000-c000-000000000000"  # timetoreply Microsoft application/client ID $timetoreplyClientAppId = "ca7f3ddb-4052-4e29-a3e1-9bef37e1bf4f" 
Step 2: Select the required permissions

Choose one of the following permission sets.

Standard mailbox connection

$scopeNames = @(     "offline_access",     "User.Read",     "Mail.ReadBasic" )

Mailbox connection with Email Body Ingestion

$scopeNames = @(     "offline_access",     "User.Read",     "Mail.Read" )

Add Calendar Sync (optional)

Standard mailbox connection with calendar sync:

$scopeNames = @(     "offline_access",     "User.Read",     "Mail.ReadBasic",     "Calendars.Read" )

Email Body Ingestion with calendar sync:

$scopeNames = @(     "offline_access",     "User.Read",     "Mail.Read",     "Calendars.Read" ) 
Step 3: Resolve the Microsoft Graph permission IDs

Retrieve the delegated permission IDs for the selected scopes:

$msGraph = Get-MgServicePrincipal -Filter "appId eq '$msGraphAppId'"  $scopeIds = $msGraph.Oauth2PermissionScopes |     Where-Object { $scopeNames -contains $_.Value } |     Select-Object -ExpandProperty Id

To verify the resolved permissions:

$msGraph.Oauth2PermissionScopes |     Where-Object { $scopeNames -contains $_.Value } |     Select-Object Value, Id 
Step 4: Create a custom consent policy

Create a policy that will allow users to consent to timetoreply for the approved permissions.

$policyId = "timetoreply-user-consent-policy" $policyName = "timetoreply user consent policy" $policyDescription = "Allows assigned users to grant consent for the timetoreply application for approved Microsoft Graph delegated permissions."  New-MgPolicyPermissionGrantPolicy `     -Id $policyId `     -DisplayName $policyName `     -Description $policyDescription 
Step 5: Restrict the policy to timetoreply

Add an include rule that allows only the timetoreply application and only the selected permissions.

New-MgPolicyPermissionGrantPolicyInclude `     -PermissionGrantPolicyId $policyId `     -PermissionType "delegated" `     -PermissionClassification "all" `     -ClientApplicationIds @($timetoreplyClientAppId) `     -Permissions $scopeIds `     -ResourceApplication $msGraph.AppId 
Step 6: Create a custom role

Create a role that allows users to grant consent only for themselves and only through the custom policy.

$roleDisplayName = "timetoreply mailbox users" $roleDescription = "Allows assigned users to grant consent to timetoreply on behalf of themselves only." $templateId = (New-Guid).Guid  $rolePermissions = @{     allowedResourceActions = @(         "microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.$policyId"     ) }  New-MgRoleManagementDirectoryRoleDefinition `     -DisplayName $roleDisplayName `     -Description $roleDescription `     -TemplateId $templateId `     -IsEnabled:$true `     -RolePermissions $rolePermissions 
Step 7: Assign users or groups

In the Microsoft Entra admin center:

  1. Go to Identity.
  2. Select Roles & admins.
  3. Locate the custom role (for example, timetoreply mailbox users).
  4. Open the role.
  5. Select Add assignments.
  6. Assign the users or groups who should be allowed to connect their own mailbox.

For easier administration, consider assigning a security group rather than individual users.

Step 8: Ask users to connect their mailbox

After role assignments have propagated, users can connect their Microsoft 365 mailbox from timetoreply.

Users may still see the Microsoft consent screen, but they should be able to approve the permissions themselves without generating a new administrator approval request.

Verify the configuration

List existing app consent policies:

Get-MgPolicyPermissionGrantPolicy | Format-Table Id, DisplayName, Description

View the include rules for the timetoreply policy:

Get-MgPolicyPermissionGrantPolicyInclude `     -PermissionGrantPolicyId "timetoreply-user-consent-policy" |     Format-List 
Remove the configuration

If you no longer require this setup:

  1. Remove all user and group assignments from the custom role.
  2. Delete the custom consent policy.
Remove-MgPolicyPermissionGrantPolicy `     -PermissionGrantPolicyId "timetoreply-user-consent-policy"

You can then remove the custom role from Roles & admins in Microsoft Entra.

Additional notes

This approach is more restrictive than granting tenant-wide administrator consent.

It allows selected users to:

  • Consent only for themselves.
  • Consent only to the timetoreply application.
  • Consent only to the Microsoft Graph delegated permissions included in the policy.

For standard mailbox connections, timetoreply uses Mail.ReadBasic, which excludes email bodies, previews, attachments, and extended properties.

If Email Body Ingestion is enabled, timetoreply uses Mail.Read so that body-based features can function correctly.

If your organization requires centralized approval for every application permission grant, continue using the standard admin consent workflow and approve timetoreply requests manually.

If you have any questions or need further assistance, please contact us at support@timetoreply.com