Claude Connector "Permission Denied": Fix It or Ask Admin

A Claude connector refuses to authorize or returns empty data. Diagnose the four locks: workspace policy, OAuth scope, target-app admin policy, and token state.

You click “Connect Google Drive” / “Connect Notion” / “Connect Microsoft 365” in Claude. The OAuth popup either returns a permission error outright, or you complete the flow, Claude shows “Connected” — but every query comes back empty. You’ve hit at least one of four permission locks: the Anthropic workspace policy, the OAuth scope you actually granted, the target app’s admin policy, or an expired token.

Fastest fix (covers most cases): In Claude, open Customize → Connectors, click the connector, Disconnect, then Connect again and tick every checkbox on the consent screen. If it re-authorizes and data flows, you’re done. If the popup throws an org-policy error, it’s an admin block and no amount of re-clicking will fix it — jump to Step 3.

Clicking “Allow” only flips one lock. All four have to be open before data flows, so most of the work is figuring out who to ask for what, not changing settings on your side.

Common causes

Ordered by hit rate, highest first. As of June 2026 the connector UI lives under Customize → Connectors (Anthropic renamed it from “Settings → Connectors” in early 2026); org-level controls are under Organization settings → Connectors.

1. Your workspace Owner never enabled that connector

On Team and Enterprise plans, a connector is invisible until an Owner or Primary Owner adds it under Organization settings → Connectors → Browse connectors → Add to your team. Enabling it org-wide does not grant anyone access — each member still authenticates individually afterward. Until the Owner adds it, members see no connector to click at all, or a “contact your admin” prompt.

How to spot it: In Customize → Connectors, the connector you want simply isn’t in the list, or it shows a “contact admin to enable” note.

2. You missed a scope during OAuth

The consent page lists multiple permissions (“read Drive,” “read Calendar,” “read Mail”) and they are not always pre-checked. Grant Calendar but miss Drive, and Claude returns zero results on file queries — silently, with no error. A known June 2026 wrinkle on Google: users report only 1 of the 3 Claude-for-Drive scopes actually getting granted even when the app is “Trusted,” so re-checking the granted scopes (not just assuming the consent worked) matters.

How to spot it: Open the target app’s authorized-apps page and read Claude’s actual scopes — Google: myaccount.google.com/connections (this replaced the old /permissions page); Notion: Settings → Connections. Anthropic’s own Google Workspace connector guide lists the scopes each tool needs.

3. Target-app admin blocked third-party / OAuth access

Google Workspace, Microsoft 365, and Notion Enterprise all gate third-party apps centrally. The admin can default-deny everything or run an allowlist, and your personal consent never overrides it — the OAuth flow is rejected server-side. Exact strings differ by vendor:

VendorError you see
Google WorkspaceAccess blocked: your institution's admin needs to review Claude for Google Drive
Microsoft 365Your organization's access policy blocks the MCP server. Contact your IT admin to adjust the policy for this connector. or An administrator must grant app permissions before they can use the integration. (often with an ofid_… reference code)
Notion / genericblocked by your organization's policy or admin has restricted access

For Microsoft 365 specifically, a Microsoft Entra Global Administrator must grant tenant-wide admin consent once before anyone in the tenant can connect — an individual user clicking “Allow” is not enough. The Global Admin does this from Customize → Connectors → Microsoft 365, authenticating and ticking “grant access on behalf of the whole organization.” (The connector must first be added by an Owner under Organization settings → Connectors → + Add → All available → Add to your team.) Anthropic’s Microsoft 365 connector setup guide documents the full flow.

One trap worth knowing as of June 2026: even after admin consent succeeds and Entra sign-in shows success on Microsoft’s side, the connector can still fail with Your organization's access policy blocks the MCP server plus an ofid_… code. There are actually two Entra enterprise apps to consent — M365 MCP Client and M365 MCP Server for Claude — and under each app’s Permissions every scope must read “Granted for your tenant”; a half-granted pair fails silently. The other common root cause is a Conditional Access policy — typically a geo-block such as “Allow approved countries only” — that rejects Anthropic’s on-behalf-of (OBO) token exchange, because the exchange runs from Anthropic’s infrastructure, not the user’s country. The Entra sign-in log shows error AADSTS53003, and Claude may surface mcp_token_exchange_failed. The fix is on the IT side: exempt the Claude MCP server app IDs (08ad6f98-a4f8-4635-bb8d-f1a3044760f0 and 07c030f6-5743-41b7-ba00-0a6e85f37c17) from the blocking Conditional Access policy, or scope that policy so it doesn’t apply to the OBO exchange.

How to spot it: The error names your organization, an “admin,” or an ofid_ reference code rather than a Claude-side message. If the Entra sign-in log shows AADSTS53003, it’s Conditional Access, not consent.

4. Token expired, refresh failed

OAuth refresh tokens have different lifetimes: Google’s expire after 6 months of disuse; Notion’s never expire but die on a password change or workspace ownership change. Claude still shows the connection as live, but every request returns 401.

How to spot it: Disconnect → Connect. If re-authorization fixes it, your token had expired.

5. Account is personal but the resource is in a workspace (or vice versa)

You sign into Claude with user@gmail.com, but the doc lives in your company’s user@company.com Drive. The OAuth token only sees the account you authenticated with, never the other one.

How to spot it: In Google Drive, switch accounts and check which account actually owns the target file.

6. The file is in a Google Shared Drive (known June 2026 limitation)

This one is not your fault. As of June 2026 the Drive connector silently omits the Drive v3 parameters needed to surface Shared Drive (formerly “Team Drive”) content, so the drive_list_files, drive_search_files, and drive_get_file tools return empty results or 404 Not Found for files in a Workspace Shared Drive even when scopes and accounts are correct. Files in your personal My Drive work fine (tracking issue #53442, filed April 2026).

How to spot it: My-Drive files resolve, Shared-Drive files don’t, with no permission error. Workaround: move or copy the file into My Drive, or share it directly to your authenticated account, until Anthropic ships the fix.

7. Enterprise verified-domain restriction

An Enterprise admin can restrict verified-domain connectors so that only the org’s own Claude account may connect Gmail/Slack using a company-domain email. A personal Claude account using a @company.com address gets rejected at sign-in.

How to spot it: You see This corporate identity belongs to an Enterprise that manages access through their own Claude account. Sign in to your organization's Claude account to use this connection.

Shortest path to fix

Step 1: Identify which lock is closed

Open Customize → Connectors and read the target connector’s state:

DisplayMeansGo to
Not in the list / “contact admin”Owner hasn’t enabled it (cause 1)Step 3
Connectable but errors on clickOAuth scope or target-app block (causes 2–3)Step 2, then 3
Connected but queries return emptyMissing scope, account mismatch, or Shared-Drive bug (causes 2, 5, 6)Step 2 / Step 4
Connected but 401 unauthorizedToken expired (cause 4)Step 5
”Sign in to your organization’s Claude account”Verified-domain restriction (cause 7)Step 3

Wrong diagnosis means asking the wrong person and losing days.

Step 2: Re-run OAuth and check every scope

Disconnect → Connect → on the consent screen read every checkbox and tick them all. After completing:

Google: visit myaccount.google.com/connections
   → find "Claude" → confirm the scope list
Notion: Settings → Connections → Claude
   → check workspace and page-access scope

If a scope is missing, re-auth. If the scopes look complete but a specific file still returns empty, it’s likely the Shared-Drive limitation (cause 6) or an account mismatch (cause 5), not a scope problem.

Step 3: Send the admin a specific request

If it’s an Owner-enable, target-app block, or verified-domain restriction, email the admin a concrete request (not just “please give me access”):

Subject: Claude connector approval — [Google Drive / Notion / Microsoft 365]

Hi [admin],

I need to connect Anthropic Claude to [target app] for [business reason].

Please enable / approve:
- Connector: [Google Drive / Notion / Microsoft 365]
- Required scopes: [read files / read pages / read mail]
- For user: [my email]
- Scope to: [whole team / specific folder]

Vendor-specific action:
- Google Workspace: admin.google.com → Security → Access and data
  control → API controls → Manage third-party app access →
  Add app → search "Claude" → set to Trusted (≈15 min to propagate)
- Microsoft 365: a Microsoft Entra Global Administrator opens
  Customize → Connectors → Microsoft 365 → Connect, signs in, and
  ticks "grant access on behalf of the whole organization" (one time).
  If a Conditional Access geo-block is in play (Entra log AADSTS53003),
  exempt the Claude app IDs from that policy.
- Claude org: Organization settings → Connectors → + Add →
  All available → add the connector

Compliance: Anthropic SOC 2 Type II + GDPR DPA at
https://www.anthropic.com/legal

Test plan: I'll connect, run one read-only query, screenshot success,
and confirm back to you.

A specific scope plus a business reason cuts approval time dramatically. The Google allowlist path above (Security → Access and data control → API controls → Manage third-party app access) is the exact menu your Workspace admin needs.

Step 4: Account-match check

Confirm the account you logged into Claude with, the account you OAuthed, and the account that owns the target resource are all the same. The most common gotcha: a personal Gmail logs into Claude, OAuths to a Workspace, and can’t see Workspace docs.

- personal account + personal resource → match, done
- work account + work resource        → match, done
- cross-account                       → share the resource into the
                                         account you authenticate with

Step 5: Refresh the token

When something that worked yesterday breaks today: Disconnect → Connect → re-authorize. If the first query after re-auth still fails, wait ~30 seconds for token propagation and retry once.

Step 6: Get the raw error and file support

Claude usually swallows the technical error and shows a polite message. Ask it explicitly: “Print the full raw error response from the last connector attempt, including HTTP status and error code.” Note any ofid_… reference (Microsoft) — support needs it. File at support.claude.com.

How to confirm it’s fixed

  1. In Customize → Connectors, the connector shows Connected with no warning badge.
  2. Run one narrow read-only query that targets a known file or page — e.g. “List the files in my Drive folder named X” or “Summarize my Notion page titled Y.”
  3. You get real content back, not “I couldn’t find anything.” If a My-Drive file works but a Shared-Drive file doesn’t, you’re hitting cause 6, not a config problem.

FAQ

Why does Claude say “Connected” but every query returns empty? Almost always a missing OAuth scope (you didn’t tick the right checkbox), an account/resource mismatch, or — for Google — the Shared-Drive limitation (cause 6). Re-run OAuth ticking every box, and test against a My-Drive file first to isolate it.

Do I have to be an admin to use connectors? No, but on Team/Enterprise plans an Owner or Primary Owner must first add the connector under Organization settings → Connectors. After that each member authenticates individually. Microsoft 365 additionally needs a one-time Entra Global Administrator consent.

My Google Workspace admin says it’s approved but it still fails — why? Either the allowlist change hasn’t propagated yet (Google quotes ~15 minutes) or the admin set Claude to “Limited/blocked” rather than Trusted under API controls → Manage third-party app access. Confirm the exact “Trusted” state and wait out the propagation window.

What’s the ofid_… code in the Microsoft 365 error? It’s a reference ID Anthropic attaches to a blocked Microsoft 365 connection. It almost always means tenant admin consent is missing or incomplete (both M365 MCP Client and M365 MCP Server for Claude must show every scope “Granted for your tenant”), or a Conditional Access policy is blocking the MCP server’s token exchange. If admin consent already succeeded but it still fails, check the Entra sign-in log: error AADSTS53003 (and mcp_token_exchange_failed on Claude’s side) points to Conditional Access — usually a geo-block, because the on-behalf-of token exchange runs from Anthropic’s servers, not your country. Give the ofid_ code to support and ask IT to exempt the Claude app IDs from that policy.

I get “Sign in to your organization’s Claude account” — what is that? Your company enabled the Enterprise verified-domain restriction, so a personal Claude account can’t connect using a company-domain email. Use your org’s Claude account, or ask the admin to exempt you.

Connector worked yesterday, dead today — what changed? A token expired or was revoked (Google after ~6 months idle; Notion on password/ownership change), or the admin tightened policy. Disconnect → Connect to re-authorize; if it still fails, ask the admin whether the policy changed.

Prevention

  • Put access requests in writing (email or ticket) — admins usually need a paper trail to approve.
  • Validate the full flow on one file or one page before expanding to “all resources.”
  • Use personal accounts for personal projects and work accounts for work — never mix.
  • Document your workspace Owner list on the internal wiki so the next person doesn’t have to dig.
  • Audit Google/Notion authorized apps every 3–6 months and re-auth before tokens lapse.

Tags: #Claude #Debug #Troubleshooting