Office365/Azure offers a number of different levers that affect consent and permissions for apps such as Gem. This is a guide on these settings, all of which can only be changed by an Azure administrator.
Allow users to 'self-consent'
In the Azure portal, select Azure Active Directory Enterprise applications Consent and permissions User consent settings. Select the option “Allow user consent for apps” for "User consent for applications” setting. This will allow users to consent for apps for themselves and will not require intervention by an admin. More details can be found here: Azure documentation.
Allow users to submit consent requests to admins
In Azure portal, select Azure Active Directory Enterprise applications Manage User settings. Select “Yes” for “Users can request admin consent to apps they are unable to consent to”. You should also select other appropriate settings in the admin consent request flow. This will allow users to submit a request to an Azure admin when they need to consent to Gem. More details can be found on Azure documentation.
Granting Admin Consent to Gem
Admins can grant consent permissions to Gem on behalf of the whole organization. Once an admin has done so, non-admin users will be able to sign in and integrate with Gem without further admin intervention. There are two methods to do so, depending on whether your Azure administrator will be using Gem or not.
Primary Method
If your Azure administrator will not be a Gem user as well, they can use these steps to grant consent to Gem:
- Locate your Azure tenant ID. IF you're not sure how to do this, you can refer to these instructions from Microsoft:
How to find your Azure Active Directory tenant ID - Enter the following URL in your web browser, replacing <YOUR AZURE TENANT ID> with the tenant ID from step 1:
https://login.microsoftonline.us/<YOUR AZURE TENANT ID>/adminConsent?client_id=4a381d53-6b7a-4388-845a-d069753e1c1e&redirect_uri=https://portal.azure.us/TokenAuthorize
- Review the request screen and grant admin consent.
- The Gem application will now have appropriate permissions granted. You should see the following permissions:
Alternate Method
If an Azure admin is also a Gem user, they should open https://www.gem.com and click login in the upper right corner:
Once logged in, Gem will present a permissions dialog:
Clicking “Grant Access” will bring up a window with the following dialog:
Make sure to check “Consent on behalf of your organization” and click “Accept”. This completes the admin consent for the organization and subsequent user sign-ups will not require admin intervention.
Assigning Groups or Users to Gem
If you only want certain users to have access to Gem, you can assign specific users or groups to Gem and no other users in your Azure AD will be able to have access to Gem. To do so, in Azure portal, select Azure Active Directory Enterprise applications All applications, find Gem in the list of applications and select it. Then select Manage Users and groups. You can then use the “Add user” button to add selective users for Gem.
