Skip to main content

Microsoft 365 Outlook — IT setup (delegated mail)

This guide explains how to register an application in Microsoft Entra ID (Azure AD) so Higent can use delegated permissions to access Microsoft Graph on behalf of signed-in users (send mail as the user, read/write mail where your use case requires it).

Delegated means each user (or mailbox owner) completes a Microsoft sign-in and consent flow once.

What you are provisioning

ComponentPurpose
App registrationIdentifies Higent’s OAuth client to Microsoft.
Delegated Graph permissionsThe signed-in user authorizes mail actions Higent performs as that user.
Redirect URIWhere Microsoft returns the user after sign-in (must match Higent’s callback URL exactly).
Client secretUsed server-side for the token exchange.

Part 1 — Azure / Entra: app registration

1.1 Create the app registration

  1. Sign in to the Microsoft Entra admin center (or the Azure Portal — App registrations).

  2. Go to App registrationsNew registration.

  3. Choose a display name (e.g. higent).

  4. Supported account types

    • Single tenant (recommended for most enterprises): Accounts in this organizational directory only.

  5. Complete the wizard.

New app registration in Microsoft Entra: name and supported account types

1.2 Record identifiers

On the app’s Overview page, copy:

  • Application (client) ID → Higent field: client ID
  • Directory (tenant) ID → Higent field: tenant ID (for single-tenant apps, use this GUID rather than common)

App overview showing Application (client) ID and Directory (tenant) ID

1.3 Configure authentication — redirect URI

Use this exact Web redirect URI (path is fixed by the product):

https://app.higent.ai/api/integration/outlook/callback

In Entra: App registration → Authentication → Platform configurations → Add a platform → Web → add the URL above.
Save the configuration.

Authentication: Web platform with Outlook redirect URI

Important: The redirect URI in Entra must character-for-character match this URL. If it differs, users will see errors after signing in at Microsoft.

Optional: under Implicit grant and hybrid flows, leave default unless your tenant policy requires otherwise; Higent’s flow uses the authorization code pattern.

1.4 API permissions — Microsoft Graph (delegated)

Go to API permissions → Add a permission → Microsoft Graph → Delegated permissions.

Add at least the following (aligned with Higent’s default delegated scopes for mail tools):

PermissionWhy
Mail.SendSend email as the signed-in user.
Mail.ReadWrite(Optional) Read/update mailbox (broader Outlook automation in Higent, not only “send”).
offline_accessIssue a refresh token so Higent can obtain new access tokens without repeated user prompts.
openidOpenID Connect sign-in.
profileBasic profile for sign-in.
emailEmail claim in token (sign-in / identification).
User.ReadSign in and read the user profile via Microsoft Graph (often listed in Entra next to OIDC scopes).

Then click Grant admin consent for your organization where policy requires admin-approved permissions.

API permissions: Microsoft Graph delegated permissions with admin consent

If you intentionally restrict permissions (e.g. only send), coordinate with support—some product features assume Mail.ReadWrite.

1.5 Client secret

  1. Certificates & secretsNew client secret.
  2. Set an expiry per your security policy; copy the secret value immediately (it is not shown again).
  3. Store it in your enterprise secret vault; paste it once into Higent’s organization Outlook configuration (Part 2).

Certificates & secrets: new client secret

Certificate-based auth can replace a secret in principle; Higent’s current Outlook integration is oriented around client secret. Use a secret unless you were given a certificate-based procedure.

Part 2 — Connecting Azure to Higent (organization credentials)

Higent splits Outlook configuration into:

  1. Organization (tenant-wide) app registrationclient ID, client secret, tenant ID, optional delegatedScopes string.
  2. Per-user tokens — via the Connect OAuth button (Part 3); users do not enter secrets.

2.1 Where to enter credentials

  1. Open Settings → Integrations → Outlook.

  2. Ensure the configuration is scoped to the organization (not an end-user-only row): the app registration applies tenant-wide.

  3. Enter:

    • clientId — Application (client) ID from Azure.
    • clientSecret — the client secret value.
    • tenantId — Directory (tenant) ID for single-tenant apps (recommended), or common / organizations only if your Entra multitenant setup requires it.
    • delegatedScopes (optional) — space-separated list. If omitted, Higent uses its default, equivalent to:
      offline_access openid profile email https://graph.microsoft.com/Mail.Send https://graph.microsoft.com/Mail.ReadWrite
      If User.Read is also granted in Entra, append https://graph.microsoft.com/User.Read so the OAuth scope string matches app permissions.

  4. Save the configuration.

Higent: Outlook integration — organization configuration (client ID, secret, tenant ID)

After saving, the org has the OAuth application Higent needs. Sending mail still requires each user to choose Connect (Part 3) so Higent receives that user’s refresh token.

Part 3 — End-user OAuth (sign in and consent)

Each user who should use Outlook through Higent must authorize Microsoft once (or again after revocation or password changes, as applicable).

3.1 Typical flow

  1. User opens https://app.higent.ai/ktr-solutions/configuration.
  2. Clicks Add integration (or equivalent).
  3. Searches for Outlook.
  4. Clicks Connect (or Reconnect).

Higent: Outlook Connect button / OAuth area

  1. Browser redirects to login.microsoftonline.com for your tenant.
  2. User signs in with their Microsoft 365 work account.

Microsoft sign-in page (organization account)

  1. Microsoft shows permissions / consent for the delegated rights (for example send mail, read/write mail where configured).

Microsoft: requested permissions for the app

  1. User returns to Higent with success; Connect may show as connected.

Higent: Outlook after successful OAuth connection

  • If admin consent was granted in Entra (Part 1.4), users may still see a consent screen, but typically not “admin approval required” for those permissions.
  • Conditional Access, IP restrictions, or device compliance policies still apply to the user’s sign-in.

Summary checklist

  • App registration created (correct account type for your tenant).
  • Web redirect URI: https://app.higent.ai/api/integration/outlook/callback.
  • Delegated permissions: Mail.Send, Mail.ReadWrite (optional, for broader features), offline_access, openid, profile, email, User.Read (adjust only with product guidance).
  • Admin consent granted in Entra.
  • Client secret created and recorded securely.
  • Higent org Outlook: clientId, clientSecret, tenantId saved.
  • Each mailbox user completes Connect in Higent.