Microsoft 365 Connector Prerequisites: Register an App in Microsoft Entra ID

Modified on Wed, 11 Mar at 11:57 AM

This article explains the Microsoft Entra ID setup that must be completed before enabling the Microsoft 365 connector in Omniscope. You will register an application, create a client secret, and grant the required Microsoft Graph permissions so that the connector can be configured with the correct Tenant ID, Client ID, and Client Secret and be authorized to read mail

1) Register an app

Go to Microsoft Entra admin center (Entra ID)
App registrations → New registration
Name: e.g. Omniscope Email Connector (App-Only)
Supported account types: typically Accounts in this organizational directory only
Click Register

2) Create a client secret

In the app: Certificates & secrets
Client secrets → New client secret
Choose an expiry that aligns with your ops policy (longer = fewer outages)
Click Add
Copy the Value immediately

Important: you must copy the Value.
You cannot retrieve it later.
Do not confuse it with the “Secret ID”.

That Value is clientSecret.

3) Add Microsoft Graph permissions (application permissions)

App → API permissions → Add a permission
Choose Microsoft Graph
Choose Application permissions
Add:
Mail.Read (Application)

Then:

Click Grant admin consent (required)

Without admin consent, Graph calls will fail with 403.

4) (Recommended) Restrict mailbox access
Mail.Read (Application) can be broad by default.
To enforce least privilege, restrict the application to a mailbox (or group) using Exchange Application Access Policies.
High-level approach:

Create a mail-enabled security group containing allowed mailboxes
Create an Application Access Policy scoped to that group and bound to the app (clientId)

This ensures the app can only read mailboxes you explicitly permit.