This article explains why BulkSignature requires admin consent in Microsoft 365, what permissions the BulkSignature Outlook add-in requests, and how a Microsoft 365 global (or Cloud Application) administrator can grant that consent so signatures auto-insert for every user in your tenant.
Prerequisites
Before you begin, confirm that:
You are signed in to BulkSignature as an Account Owner or Admin.
The Microsoft 365 account you will use to grant consent has one of the following roles:
Global Administrator
Cloud Application Administrator
Application Administrator
Third-party app consent is not blocked by a Conditional Access policy that would prevent the consent flow from completing.
Pop-ups are allowed for
login.microsoftonline.comandapp.bulksignature.comin your browser.
Why admin consent is required
Microsoft 365 protects tenants from unreviewed third-party apps with a feature called admin consent. Until an administrator reviews and approves the permissions on behalf of the organization, the add-in cannot read the information it needs to attach signatures automatically — and you will see a banner in BulkSignature that reads:
Outlook add-in needs admin consent. Signatures won't auto-insert for your team until an admin grants tenant-wide consent.
Granting consent once, at the tenant level, removes this banner and allows every licensed user to receive signatures without individually approving the app.
Permissions requested by BulkSignature
When you grant admin consent, you are approving the following Microsoft Graph permissions for the BulkSignature Outlook Add-In:
Permission | What it is used for |
Permission | What it is used for |
Maintain access to data you have given it access to ( | Lets BulkSignature refresh its access token so signatures keep inserting without asking users to sign in again. |
Sign in and read user profile ( | Allows the add-in to identify the signed-in user and map them to the right signature template in BulkSignature. |
These are minimum-privilege, read-only delegated permissions. BulkSignature does not request access to mailbox contents, calendars, files, or directory data.
Step 1 — Open the Integrations page in BulkSignature
Sign in to Email Signature Management - BulkSignature
In the top navigation, click Settings./ or click onto notification bow.
In the left sidebar (Settings Tabs), click Integrations.
You will see the Microsoft 365 integration card. If the add-in still needs to be configured, the card shows a red Action required: set up Outlook add-in notice with a Set up add-in now → button.
Click Set up add-in → to begin deployment.
2 Case — Trigger the admin consent prompt
After the add-in is registered with your tenant, the Microsoft 365 card will update. You will see a notice stating: "The add-in is only deployed for your account."
To ensure your email signatures apply to everyone, you need to deploy it organization-wide:
Click the Open Microsoft 365 Admin Center button.
Inside the Admin Center, navigate to Integrated apps.
Follow the prompts to deploy the add-in to your entire organization.
Click Grant admin consent →. A new Microsoft sign-in window opens.
Step 2 — Review and accept the permissions in Microsoft
A Microsoft Permissions requested — Review for your organization dialog appears.
Expand each item if you want to see the full description, then review the two permissions:
Maintain access to data you have given it access to
Sign in and read user profile
Click Accept.
Step 3 — Confirm consent was recorded
When the consent flow completes, Microsoft redirects you back to BulkSignature, which displays a green Consent granted confirmation. The window closes automatically after a couple of seconds.
Back on the Integrations page, the red/orange "Action required" banner disappears and the Microsoft 365 card shows Connected with a green checkmark. Signatures will now auto-insert for every licensed user in your tenant.
Verifying the consent in Microsoft Entra (optional)
If your organization requires an audit record of which apps have been granted tenant-wide permissions, you can verify BulkSignature from the Microsoft Entra admin center:
Go to entra.microsoft.com and sign in as a global administrator.
Navigate to Identity → Applications → Enterprise applications.
In the All applications list, search for BulkSignature Outlook Add-In.
Open the application and click Permissions in the left menu.
Confirm that Admin consent is listed with the two Graph permissions described above.
You can also visit myapps.microsoft.com at any time to review or revoke consent.
Troubleshooting
The "Grant admin consent" button is missing. You may not be signed in as a BulkSignature admin. Ask your BulkSignature Account Owner to promote you, or have them complete this step instead.
I see "Need admin approval" when choosing an account. The account you selected does not have the permissions required to grant tenant-wide consent. Sign out and try again using a Global Administrator, Cloud Application Administrator, or Application Administrator account.
"AADSTS650056: Misconfigured application" (or a similar AADSTS error) appears. Close the pop-up, return to BulkSignature, and click Grant admin consent again. If the error continues, contact BulkSignature support and include the full AADSTS error code.
Consent was granted, but the banner still shows "Action required." Refresh the Integrations page. If the banner remains after a hard refresh, sign out of BulkSignature and sign back in — the status updates on login. I need to remove BulkSignature's permissions.
Go to Entra admin center → Enterprise applications → BulkSignature Outlook Add-In → Properties → Delete, or remove the app from myapps.microsoft.com. Signatures will stop auto-inserting once consent is revoked.