Set up your Microsoft 365 Azure app

Register your application

1. Sign in to the Azure portal using your personal, work, or school Microsoft 365 account.
2. In the left-hand navigation panel, click Azure Active Directory.
3. After the Azure Active Directory page opens, click App registrations.

4. Click + New registration in the top navigation bar.

   
   

   

   
   
5. Enter a Name for your application (e.g., "Office365App").

6. Under Supported account types, select the option that applies to you. For more information about which option to select, below are Microsoft's recommendations:

   • Accounts in this organizational directory only - Use this option if your target audience is internal to your organization.
   • Accounts in any organizational directory (Any Azure AD directory - Multitenant) - Use this option if your target audience is business or educational customers and to enable multitenancy.
   • Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) - Use this option to target the widest set of Microsoft identities and to enable multitenancy.

7. Under Redirect URI (optional), enter a URI address (if applicable).

   The Microsoft Authentication Library (MSAL.NET) uses a default redirect URI: https://login.microsoftonline.com/common/oauth2/nativeclient. This value will likely work for you when using the Interactive Token authentication type.
   • Your selection is dependent on your authentication type. For more information on this topic, see the Unattended and Attended Automation section in the Microsoft 365 Scope activity details page).
   • In our example, the organization supports multi-tenant authentication and can only use the Interactive Token authentication type which requires a redirect URI.
   • If you use Interactive Token and the default Microsoft Redirect URI, you must add a platform of type Mobile and desktop applications. For more information, see the Microsoft documentation.
   • If your authentication type is Integrated Windows Authentication or Username and Password, you don't need to register a redirect URI for your application. These flows do a round trip to the Microsoft identity platform v2.0 endpoint, and your application won't be called back on any specific URI.
   • When working with Microsoft 365 in a UiPath Studio project targeting .NET 5.0, the clients should add http://localhost to the Redirect URI of their custom applications.

     For more information, see Desktop app-registration in the Microsoft identity platform documentation.

8. Click Register. An example configuration is available in the screenshot below.

   Note: This setup is just an example. Follow the steps described in the documentation and make selections based on your organization's policies.
   
   

   

   
   

Add API permissions

1. From your registered application page (Azure portal > Azure Active Directory > App registrations > Office365App), click API permissions in the left-hand navigation panel.
2. After the API permission page opens, click + Add a permission (this opens the Request API permissions window).
3. Under Select an API, click Microsoft APIs (may be open by default).

4. Under Commonly used Microsoft APIs, click Microsoft Graph.

   
   

   

   
   

5. Under What type of permissions does your application require?, click Delegated permissions or Application permissions to show the list of permissions. Application permissions must be set when the value of AuthenticationType in the Microsoft Office 365 Scope activity is set to ApplicationIdAndSecret or ApplicationIdAndCertificate. The other authentication types available in Microsoft Office 365 Scope activity require Delegated permissions.

   For more information about permission types, see Configure a client application to access web APIs in the Microsoft Azure documentation.

   Important:

   Some activities do not support ApplicationIdAndSecret or ApplicationIdAndCertificate authentication type (e.g. Find Meeting Times).

   For email activities, it is mandatory to specify a value for the Account parameter (i.e. which mailbox of all tenant's mailboxes do you want to use).

   When using this authentication type, the application has access to all mailboxes from your tenant, the reason being that application API permission Mail.Read means Read mail in all mailboxes and Mail.ReadWrite means Read and write mail in all mailboxes.

   One solution is to restrict Application permissions to specific mailboxes, so the application has access only to the specified mailboxes.

   For more information, see Scoping application permissions to specific Exchange Online mailboxes.

   Use Sites.Selected application permission to allow the application to access just the specific SharePoint site collections rather than all.

6. Use the search bar or scroll down the alphabetical list and select the following permissions:

   • Calendar

     • Calendars.Read
     • Calendars.ReadWrite

   • Files

     • Files.Read
     • Files.Read.All
     • Files.ReadWrite
     • Files.ReadWrite.All

   • Sites

     • Sites.Read.All
     • Sites.ReadWrite.All

   • Mail

     • Mail.Read
     • Mail.ReadWrite
     • Mail.Send

   • Shared\*

     • Mail.Read.Shared
     • Mail.ReadWrite.Shared
     • Mail.Send.Shared
     • Calendars.Read.Shared

     • Calendars.ReadWrite.Shared

       \* Scopes needed to access resources that are shared with, but not owned by, the user.

   • Click Add permissions (returning you to your list of API permissions)

     
     

     

     
     

7. Verify your API permissions include your added Calendars, Files, and Mail permissions.