The "Need Admin Approval" message presents when interacting with Entra ID (formerly Azure AD) when attempting to request permission on behalf of a third party application, Service Management in this case, and the organization responsible for the Azure account has restricted such requests to Azure Administrator users only, or when the "User Consent" setting was disabled. 

Specific permission that is needed, under Entra ID > Applications > Enterprise applications > User settings, is "Users can consent to apps accessing company data on their behalf".  This needs to be set to "Yes" to ensure Service Management integration can go forward.

There are several ways to address the security setting.  We will discuss two possible approaches.

In all cases, a user with Admin permissions in Azure is needed.  We will define "AzureAdmin" as the Azure user with Admin permissions and "SMMailUser" as the user who is assigned to login to Azure on behalf of Service Management, the integration user.

Method 1:  Granting Consent for the Integration

Note:  This is the recommended approach.  It will enable the permissions necessary to generate the token specifically for Service Management application.

Prerequisite:  SMMailUser has already registered the Service Management product as one of Azure's third party products, attempted to generate access token, and received "Need Admin Approval"

1. AzureAdmin needs to login to Microsoft Entra Admin center
2. Navigate to Identity -> Applications -> Enterprise Applications
3. Search for the Service Management product (entry may be under App Registrations -> All Applications)
4. Click on the Service Management product.  Under Security on the left hand sidebar, click Permissions.  There will be a list of "Delegated" or "Application" permissions.
5. Look for the button labeled "Grant Admin Consent for [Organization]".  
6. Click on the "Grant Admin Consent.." button.  The AzureAdmin user will be prompted to login again. 
7. Review the permissions requested and click Accept.

With the above change, the SMMailUser user should be able to generate the access token.

Method 2:  Admin Approval of Token Generation Request

Prerequisite:  SMMailUser has already registered the Service Management product as one of Azure's third party products, attempted to generate access token, and received "Need Admin Approval", but has opted to choose "Request Approval".

1. AzureAdmin needs to login to Microsoft Entra Admin center
2. Navigate to Identity -> Applications -> Enterprise Applications -> Admin consent requests
3. Assuming SMMailUser submitted a "Request Approval", the AzureAdmin should see the pending request.
4. Click on the pending request, and choose "Review permissions and consent" to work through the approval process.

The SMMailUser should then be notified that they can try "Generate Access Token" again, to generate the needed token.