diff --git a/ADMIN-INSTRUCTIONS.md b/ADMIN-INSTRUCTIONS.md index f4d4971..7cf9bc5 100644 --- a/ADMIN-INSTRUCTIONS.md +++ b/ADMIN-INSTRUCTIONS.md @@ -19,6 +19,18 @@ https://login.microsoftonline.com/{your-tenant-id}/adminconsent?client_id=ba0816 That's it! Users with Copilot licenses can now install and use Work IQ. See the [Work IQ README](https://github.com/microsoft/work-iq-mcp/blob/main/README.md) for end-user installation instructions. +> **⚠️ Known Issue – "Access Denied" on Quick Start URL** +> +> The Quick Start URL above may fail with an **Access Denied** or **AADSTS** error in some tenants. This happens because the Work IQ CLI app registration now includes permissions that target the Work IQ Tools MCP Server resource, and the service principal for that resource may not yet be provisioned in your tenant. +> +> **Workaround:** Use the following URL instead. It requests only the Microsoft Graph permissions, whose service principal is always present in every tenant: +> +> ```text +> https://login.microsoftonline.com/{your-tenant-id}/adminconsent?client_id=ba081686-5d24-4bc6-a0d6-d034ecffed87&scope=Sites.Read.All%20Mail.Read%20People.Read.All%20OnlineMeetingTranscript.Read.All%20Chat.Read%20ChannelMessage.Read.All%20ExternalItem.Read.All +> ``` +> +> To also enable the full Work IQ Tools MCP Server permissions, a PowerShell provisioning script will be provided in a future update. For now, use the alternative consent URL above to get started. + --- ## Table of Contents @@ -268,13 +280,15 @@ For additional security, create a Conditional Access policy: ### Common Issues and Solutions -| Issue | Cause | Solution | -|--------------------------------------|------------------------------|----------------------------------------------------| -| "Admin approval required" prompt | Admin consent not granted | Use the Quick Start URL or Step 3 methods | -| "Insufficient permissions" error | Missing API permissions | Verify all 7 required permissions are consented | -| Users can't sign in | Conditional Access blocking | Review Conditional Access policies | -| "License required" error | User lacks Copilot license | Assign Microsoft 365 Copilot license to user | -| Features not appearing | License propagation delay | Wait up to 24 hours after license assignment | +| Issue | Cause | Solution | +|----------------------------------------------|---------------------------------------------------------------|--------------------------------------------------------------------------| +| "Access denied" / AADSTS error on consent URL | Work IQ MCP Server service principal not provisioned in tenant | Use the [alternative consent URL](#known-issue--access-denied-on-quick-start-url) | +| Work IQ not visible in Enterprise Applications | Service principal not yet provisioned | Use the alternative consent URL described in the Quick Start section | +| "Admin approval required" prompt | Admin consent not granted | Use the Quick Start URL or Step 3 methods | +| "Insufficient permissions" error | Missing API permissions | Verify all 7 required permissions are consented | +| Users can't sign in | Conditional Access blocking | Review Conditional Access policies | +| "License required" error | User lacks Copilot license | Assign Microsoft 365 Copilot license to user | +| Features not appearing | License propagation delay | Wait up to 24 hours after license assignment | ### Verify Admin Consent Status @@ -337,5 +351,5 @@ Work IQ provides access to sensitive organizational data including: --- -**Document Version:** 1.3 -**Last Updated:** January 2026 +**Document Version:** 1.4 +**Last Updated:** March 2026