Approving Double Nickel Email and Calendar Access (Restricted to Specific Users)
Overview
This guide explains how to approve the Double Nickel Microsoft 365 integration while:
Avoiding organization-wide mailbox access
Restricting usage to specific users only
Completing setup entirely within the Microsoft Entra Admin Center (no PowerShell required)
Security Model Overview
Double Nickel uses delegated OAuth access.
This means:
The application can only access the mailbox of a user who signs in and authorizes it.
It cannot access other users’ mailboxes.
Administrators can restrict which users are permitted to authenticate.
Granting admin consent does not provide access to all mailboxes. Access remains limited to authenticated users.
Step 1 — Trigger the Application Registration (User Action)
Before an administrator can approve the application, it must exist in the tenant.
Have one intended user:
Log into Double Nickel.
Navigate to Settings → Users
Click on the selected user, click Edit.
Click Connect Email.
When prompted with “Admin approval required,” stop.
This action creates the Enterprise Application entry inside Microsoft Entra.
Step 2 — Grant Admin Consent in Microsoft Entra
Required role: Global Administrator or equivalent permissions.
2.1 Open the Microsoft Entra Admin Center
Go to:
https://entra.microsoft.com
Navigate to:
Entra ID → Enterprise Applications → All Applications
2.2 Locate the Application
Search for the name shown on the Microsoft approval screen. It may appear as:
Nylas
Double Nickel
Or the integration provider name (Cal.com) displayed in the consent prompt
Select the application.
2.3 Grant Admin Consent
Navigate to Permissions.
Review the requested permissions (typically):
User.Read
Mail.Send
Mail.Read
Calendars.Read
Calendars.ReadWrite
Select:
Grant admin consent for [Your Organization]
Confirm by selecting Accept.
This allows the application to operate in the tenant but does not grant access to all mailboxes.
Step 3 — Restrict Access to Specific Users (Required for Limited Access)
To prevent organization-wide access, user assignment must be required.
3.1 Enable Assignment Requirement
Within the same Enterprise Application, navigate to Properties.
Set:
Assignment required? → Yes
Select Save.
This ensures only explicitly assigned users can authenticate with the application.
3.2 Assign Approved Users
Navigate to Users and Groups.
Select Add user/group.
Choose:
Specific individual users, or
A Security Group (recommended)
Select Assign.
Only assigned users will now be able to connect their Microsoft accounts to Double Nickel.
Step 4 — Users Complete the Connection
After approval and assignment:
Assigned users return to Double Nickel.
Click Connect Microsoft Account again.
Sign in with their Microsoft credentials.
Approve the Microsoft consent screen.
The connection should complete successfully.
Optional: Enable the Admin Consent Request Workflow
If your organization blocks user consent globally, you may enable Microsoft’s built-in approval workflow.
In Microsoft Entra, navigate to:
Enterprise Applications → Consent and Permissions → Admin Consent Settings
Enable:
Users can request admin consent → Yes
Assign one or more reviewers.
Users will then be able to submit approval requests directly through Microsoft’s interface.
Security Controls Summary
Control | Purpose |
Admin Consent | Allows the application to operate within the tenant |
Assignment Required | Restricts which users may use the application |
Delegated OAuth | Limits mailbox access to authenticated users only |
Troubleshooting
If users continue to experience connection issues:
Confirm admin consent has been granted.
Confirm “Assignment required” is enabled.
Confirm the user is assigned to the application.
Have the user sign out of Microsoft completely and retry the connection.
Verify that conditional access policies are not blocking third-party app access.