# Exchange Integration with Azure service user

> This step-by-step guide will show you a popular method for creating a Microsoft Exchange application for Communications Mining™ in your Azure Cloud Platform. You will learn how to create an Application (client) with an ID and Client Secret, and find your existing Directory (tenant) ID. This will allow users to access Exchange mailbox integrations in Communications Mining.

## Introduction

This step-by-step guide will show you a popular method for creating a Microsoft Exchange application for Communications Mining™ in your Azure Cloud Platform. You will learn how to create an Application (client) with an ID and Client Secret, and find your existing Directory (tenant) ID. This will allow users to access Exchange mailbox integrations in Communications Mining.

:::note
Microsoft will retire Exchange Web Services (EWS) on October 1, 2026. It is recommended to follow the [Exchange integration with Azure Application Authentication and Graph](https://docs.uipath.com/ixp/automation-cloud/latest/cm-user-guide/exchange-integration-with-azure-application-authentication-and-graph#exchange-integration-with-azure-application-authentication-and-graph) guide instead.
:::

## Why a successful integration is important

Failure to create an Exchange-Communications Mining™ application in Azure can lead to permissions errors that prevent users from accessing their mailbox integrations. To gain the full benefits of Communications Mining, follow these steps and complete the process in its entirety.

## The step-by-step integration process

### 1. Sign into Azure

Sign into your Azure Cloud Portal.

### 2. Register a new application for Communications Mining

1. Access the **App Registrations** menu and select the **New Registration** option.

   ![The image highlights the New registration button under App registrations in Azure Portal.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-app-registrations-497027-9b0057d2.webp)

2. Register a new application as follows:

   1. Enter a name for your application, for example, `reinfer-exchange-integration`.
   2. Under **Supported account types**, select the single tenant option.
   3. Select **Register** to complete the registration.

   ![The Register an application configuration page under App registrations in Azure Portal.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-register-an-application-configuration-page-under-app-registrations-in-azure-portal-497031-f46e9932.webp)

   Azure will provide you an **Application (client) ID** and a **Directory (tenant) ID** as shown in the following image.

   ![The image shows the app details containing the Application (client) ID and Directory (tenant) ID after registering an app in Azure.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-image-shows-the-app-details-containing-the-application-client-id-and-directory-tenant-id-after-registering-an-app-in-azure-497035-1e560bdc.webp)

### 3. Create a client secret for your Communications Mining application

To keep your application secure, you must create a client secret to log into your application. First, select **Certificates & Secrets** under the **Manage** sidebar, then continue with the following steps:

1. Select **Client secrets** if it is not automatically selected.
2. Select **New client secret**.

   ![The image highlights the New client secret butto under Client secrets in Azure.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-new-client-secret-497039-c23e96fe.webp)

3. In the sidebar, add an easily recognizable description and select an expiry date. We recommend setting 12 months for the expiry date.
4. Select **Add** to create a secret value for your Communications Mining™ application.

   ![The Add a client secret page in Azure.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-add-a-client-secret-497043-827a4a91.webp)

   ![The secret value under Client secrets in Azure.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-client-secrets-497047-93e35dd4.webp)

   :::note
   Azure displays the secret value to you only once, so make sure to copy it. If you ever lose your secret value, complete Step 3 again to create a new one.
   :::

### 4. Set API permissions

1. Navigate to **API permissions** under the **Manage** sidebar.
2. Select **Add a permission**.

   ![The Add a permission button in API permissions, under Manage, in Azure.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-add-a-permission-497051-42f7d311.webp)

3. Select **Microsoft APIs** and then **Microsoft Graph**.

   ![The Microsoft Graph option under Microsoft APIs in Azure.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-microsoft-graph-option-under-microsoft-apis-in-azure-497055-14720041.webp)

4. Select **Delegated permissions**.
5. In the **Select permissions** textbox, enter EWS.Access.
6. Expand the EWS permission, and check the box for EWS.AccessAsUser.All.
7. Select **Add permissions**.

   ![The image highlights the Delegated permissions option under Request API permissions in Azure.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-image-highlights-the-delegated-permissions-option-under-request-api-permissions-in-azure-497059-e71c9c6c.webp)
   
8. Returning to the **API permissions** menu, select **Grant admin consent for Communications Mining**.
9. Select **Yes** in the **Grant admin consent confirmation** pop-up

   ![The Grant admin consent for Communications Mining button under API permissions in Azure.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-grant-admin-consent-for-communications-mining-button-under-api-permissions-in-azure-497063-a02d31d2.webp)

### 5. Give the service user access to the shared mailboxes

You will need a service account with access to the mailboxes you wish to connect to Communications Mining™.

1. Create a service account:
   * [Add a user](https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide).
   * [Assign licenses to the user](https://learn.microsoft.com/en-us/microsoft-365/admin/manage/assign-licenses-to-users?view=o365-worldwide).
2. Grant a service account access to shared mailboxes. It is enough to grant the service account read-only access. Use one of the following methods to do this:
   * [Create shared mailboxes](https://learn.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide) and give access to users, including the service account.
   * [Give the service account access to the emails of a user](https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide#read-email-in-another-users-mailbox).

### 6. Sign into Communications Mining

Sign into Communications Mining through UiPath® Automation Cloud as normal.

### 7. Create a new integration in Communications Mining

1. Navigate to the **Administration** page from Communications Mining.
2. Select **New Integration**.

   ![The Integrations page in the Administration page in IXP.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-integrations-page-in-the-administration-page-in-ixp-497067-5dc73e11.webp)

3. In the **Create new integration** page, under **Add basic info**, configure the following fields:
   * **Project** - Select an existing project.
   * **Title** - Optionally, enter a title.
   * **API Name** - Enter a name for your integration.

:::note
Once you set the API name, you cannot change it.
:::

4. Select **Continue**.

   ![The Create a new integration page.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-create-new-integration-497071-645333a3.webp)

5. Under **Connect with your application** configure the following:
   * Select the API type: **Graph API** or **EWS API**.
   * Select the authentication method: **With client secret**, **With private key & thumbprint**, or **With NTLM**.

      :::note
      NTLM only supports delegate access. For more information, check the [Microsoft documentation on delegate access and EWS in Exchange](https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/delegate-access-and-ews-in-exchange).
      :::

   * **OAuth Authority URL** - Enter the OAuth authority URL using the tenant ID from step 2, when you registered a new application for Communications Mining, in the following format: `https://login.microsoftonline.com/{tenant_id}`.
   * **OAuth Client ID** - Enter the OAuth client ID from step 2.
   * **Client Secret** - Enter the client secret from Step 3.
   * Select one of the following options:
      * **With service user access** - Enter the username and password of your service account.
      :::note
      Graph API does not support service user access.
      :::
      * **With application access**
   * Select **Validate & save credentials**.
6. Select **Continue**.

    ![The Create a new integration page.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-create-a-new-integration-page-497075-92ced441.webp)

7. Under **Select your input data**, select **Add Mailbox** and configure the following fields:

   **Mailbox name**

      * **Email** - Enter the email address.

   **Bucket**

      * **New bucket** - Select one of the following:
         * **Create new bucket** - Automatically create a bucket for the mailbox.
         * **User define new bucket** - Define a custom bucket by specifying a **Project**, **Name**, and **Title**.
      * **Existing bucket** - Select an existing Orchestrator bucket.

   **Time filters**

   :::note
   Choose a date to sync from. You can update this to sync further back as required. Already synced data will not be impacted. If total volumes are unknown, it is recommended to gauge volumes by syncing a shorter period first. AI units are charged on upload.
   :::

      * **From timestamp** - Configure the following field:
         * **Sync from timestamp** - Enter a date to sync from. It is typically recommended to sync at least 6 to 12 months of data.
      * **All time** - Syncs all available data.
      :::important
      This option may consume more AI units than expected.
      :::

   **Folder filters**

   :::note
   When applying folder filters:

   * Nested folders are separated with a forward slash `/`.
   * Folders visible in Outlook are normally prefixed with `root/Top of Information Store/`.
   * Allowing folders means that folders not explicitly allowed are denied.
   * You can deny a folder within an allowed folder.
   * You cannot allow a folder within a denied folder.
   :::

      * **Allowed folders** - Enter the allowed folders.
      * **Denied folders** - Enter the denied folders.
      :::note
      Make sure you enter the folder location in this format: `root/Top of Information Store/`.
      :::
      :::tip
      Restrict the folder filter scope to the minimum your use case needs. If you leave **Allowed folders** empty, the integration continuously syncs from every folder in the mailbox — including Archive and Recoverable Items (purges) — which slows the sync dramatically. For most BAU processing, allow only:

      * `root/Top of Information Store/Inbox`
      * `root/Top of Information Store/Sent Items`
      :::
   
   **Participant filters**

   :::note
   When applying participant filters:
   * Allowing participants means that participants not explicitly allowed are denied.
   * Any denied participant is denied even if it also appears in the allowed list.
   * Participant filters are case insensitive.
   :::

      * **Allowed participants** - Enter the email addresses of the allowed participants.
      * **Denied participants** - Enter the email addresses of the denied participants.
   
   **Participant domain filters**

   :::note
   When applying participant domain filters:
   * Allowing domains means that participants not explicitly allowed are denied.
   * Any denied participant domain is denied even if it also appears in the allowed list.
   * You can wildcard the top-level domain. For example, `reinfer.*` matches `reinfer.dev` and `reinfer.com`.
   * Participant domain filters are case insensitive.
   :::

      * **Allowed participant domains** - Enter the domains of the allowed participants, for example, `gmail.com`.
      * **Denied participant domains** - Enter the domains of the denied participants, for example, `gmail.com`.

   **Attachments**
      * **Sync attachment contents** - Enable this option to also sync email attachments.

   8. Select one of the following options:
      * **Add Mailbox**
      * **Discard new mailbox**.
   9. Select **Create Integration**.

## Final steps

You have now successfully created an integration between Communications Mining™ and Microsoft Exchange through Azure. You can disable the integration using the toggle, as shown in the following image. To delete it, select the trash can icon.

   ![docs image](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-docs-image-497083-1223a38c.webp)

You can also enable attachment syncing at mailbox level on an Exchange integration. The streams API then makes the attachments retrievable via an attachment reference. Check more about syncing attachments in the [Attachments](https://docs.uipath.com/communications-mining/automation-cloud/latest/developer-guide/attachments) and [Using Exchange Integrations](https://docs.uipath.com/communications-mining/automation-cloud/latest/user-guide/using-exchange-integrations) pages.

If you have any questions or need assistance with the integration process, contact UiPath® support.