Greetings,
I've received an access request for a user trying to use an email integration feature in HubSpot.
Why is the request so broad ("If you accept, this app will get access to the specified resources for ALL users in your organization")?
How do I accept this request for only the specific user who requested it and not give HubSpot access to ALL users' mailboxes?
2 Accepted solutions
Hi @DaveM9 , this is a very common point of confusion, and honestly the wording on Microsoft’s side does not help. What you’re seeing is not HubSpot asking for blanket access by default, it’s Microsoft describing the potential scope of an app that supports organization-wide consent.
In Microsoft Entra ID (Azure AD), Outlook integrations like HubSpot are registered as enterprise applications. When the permission prompt says “for all users in your organization,” it means the app can be granted tenant-wide consent by an admin. It does not mean HubSpot automatically gains access to every mailbox just because one user connects their inbox.
If a non-admin user connects their inbox via HubSpot, the consent is scoped to that specific user mailbox only. Other users are not connected, and HubSpot cannot read or send mail on their behalf. Each user still has to explicitly connect their own inbox inside HubSpot. HubSpot explains this flow here: https://knowledge.hubspot.com/connected-email/connect-your-inbox-to-hubspot
The only time this becomes organization-wide is if you, as an admin, explicitly approve admin consent for the HubSpot app in Entra ID. That’s typically done to avoid repeated consent prompts, not to auto-connect everyone’s email. Even then, mailboxes are still not connected in HubSpot unless users complete the inbox connection step themselves.
So short answer: there is no way to “partially accept” that Microsoft prompt. Accepting it does not grant HubSpot access to all mailboxes. It simply allows the app to exist at the tenant level. Actual mailbox access remains per-user and opt-in. This behavior hasn’t really changed with how HubSpot works today in 2025, it’s still driven by Microsoft’s OAuth and consent model rather than HubSpot’s settings. Hope that clears it up.
Did my answer help? Please mark it as a solution to help others find it too.
 | Ruben Burdin HubSpot Advisor Founder @ Stacksync Real-Time Data Sync between any CRM and Database |
 | |
Hi @DaveM9 , this is a very common point of confusion, and honestly the wording on Microsoft’s side does not help. What you’re seeing is not HubSpot asking for blanket access by default, it’s Microsoft describing the potential scope of an app that supports organization-wide consent.
In Microsoft Entra ID (Azure AD), Outlook integrations like HubSpot are registered as enterprise applications. When the permission prompt says “for all users in your organization,” it means the app can be granted tenant-wide consent by an admin. It does not mean HubSpot automatically gains access to every mailbox just because one user connects their inbox.
If a non-admin user connects their inbox via HubSpot, the consent is scoped to that specific user mailbox only. Other users are not connected, and HubSpot cannot read or send mail on their behalf. Each user still has to explicitly connect their own inbox inside HubSpot. HubSpot explains this flow here: https://knowledge.hubspot.com/connected-email/connect-your-inbox-to-hubspot
The only time this becomes organization-wide is if you, as an admin, explicitly approve admin consent for the HubSpot app in Entra ID. That’s typically done to avoid repeated consent prompts, not to auto-connect everyone’s email. Even then, mailboxes are still not connected in HubSpot unless users complete the inbox connection step themselves.
So short answer: there is no way to “partially accept” that Microsoft prompt. Accepting it does not grant HubSpot access to all mailboxes. It simply allows the app to exist at the tenant level. Actual mailbox access remains per-user and opt-in. This behavior hasn’t really changed with how HubSpot works today in 2025, it’s still driven by Microsoft’s OAuth and consent model rather than HubSpot’s settings. Hope that clears it up.
Did my answer help? Please mark it as a solution to help others find it too.
| | Ruben Burdin HubSpot Advisor Founder @ Stacksync Real-Time Data Sync between any CRM and Database |
| | |
