Before Epiteera can run a Microsoft 365 Security Health Check on your tenant, it needs your organisation's permission to read the relevant data. Microsoft enforces this through a process called admin consent — a one-time approval that a sufficiently privileged administrator must grant. This article explains exactly what happens when you sign in, depending on whether you are an administrator or a standard user.
Why admin consent is required
Epiteera reads configuration data from your Microsoft 365 environment — things like conditional access policies, device configurations, sharing settings, and identity hygiene signals. Microsoft 365 protects this data at the tenant level, meaning no third-party application can access it without an explicit, organisation-wide approval from an administrator. This is a standard Microsoft security requirement that applies equally to all applications that integrate with Microsoft 365.
Signing in for the first time
When you open Epiteera and click Sign in, you are redirected to Microsoft's login page and authenticate with your usual work account. Epiteera never sees your password — authentication is handled entirely by Microsoft.
Once you are logged in, Epiteera reads the roles embedded in your Microsoft 365 identity token. Based on those roles, the app immediately determines whether you hold a privileged directory role (such as Global Administrator, Cloud Application Administrator, or Privileged Role Administrator) or whether you are a standard user. This determines which setup experience you see next.
Path 1: You are a Global Administrator (or equivalent)
If Epiteera detects admin roles in your account, it presents a streamlined consent dialog the moment it realises your tenant is not yet connected.
The dialog explains that, as an administrator, you can grant Epiteera access directly. You click the Grant Admin Consent button, which takes you to Microsoft's official admin consent page — hosted entirely by Microsoft on login.microsoftonline.com. There you can review the list of permissions Epiteera is requesting and approve them for your entire organisation.
After you click Accept, Microsoft redirects you back to Epiteera's consent callback page. Epiteera verifies the connection and runs a licence check in the background.
If everything checks out, you land on a success screen and can navigate directly to your dashboard to run your first health check.
If you clicked Cancel on the Microsoft consent page instead, you are returned to the callback with a clear message that access was not granted, and no changes are made to your tenant.
Path 2: You are a standard user
If you sign in without a privileged directory role, Epiteera cannot complete the setup on your behalf — only an administrator can grant the required permissions. The setup dialog adapts accordingly.
Instead of a consent button, you see a copyable link. This is a pre-generated, one-time consent URL tied to your setup session. Copy it and forward it to your Global Administrator — by email, Teams message, or whichever channel you normally use.
Once you have sent the link, click I've sent the link to my admin. The dialog moves into a waiting state.
Your administrator opens the link in their browser. If they are not already signed in to Microsoft, they are prompted to do so first. They then see the same Microsoft consent page as in Path 1, review the requested permissions, and click Accept.
After the administrator grants consent, Epiteera's callback page processes the approval automatically — even without you being present. No further action is needed from your administrator beyond clicking Accept on that page.
Back in your browser, click Verify. Epiteera checks whether the connection is now active. If the administrator has completed the process, you are taken straight to the dashboard.
If the administrator has not finished yet, you see a verification-not-successful message, with the option to re-share the consent link and try again once they have completed the step.
A special case: approval is pending
In some organisations, administrators do not grant consent themselves — instead, standard users can request access, and administrators approve or deny those requests through the Microsoft Entra admin centre. If your organisation works this way, you may see an Admin Approval Requested page after signing in, letting you know that your request has been submitted and that you should sign back in once it has been reviewed.
After consent is granted
Admin consent is a one-time action per tenant. Once an administrator has approved Epiteera, every user in that tenant can sign in and use the app without going through the consent flow again. The connection persists until it is explicitly removed from within the app.
Security note
Epiteera never stores your Microsoft credentials. All authentication is handled by Microsoft's own identity platform (Microsoft Entra ID). The permissions granted during admin consent are the minimum necessary to run the health check, and you can review or revoke them at any time from the Microsoft Entra admin centre under Enterprise Applications.
Ready to run your first health check? Sign in and follow the setup flow above — it takes less than two minutes.
Start your free Health Check