Integration Service user guide

DELIVERY:

Last updated Feb 9, 2026

Microsoft Outlook 365 authentication

Overview

In Integration Service, when you create a connection to one of our Microsoft Graph-based connectors, you can choose between the following authentication options:

Client Certificate Authentication – connects using a client certificate instead of a client secret.
OAuth 2.0 Client credentials – uses a service account and, optionally, connects to your shared mailbox.
Bring your own OAuth 2.0 app – connects to a private application you create, and, optionally, to your shared mailbox.

In case you encounter any errors during the sign-in process, it is recommended to contact your Microsoft Outlook 365 administrator. For more information, refer to the Office 365 Outlook connector documentation.

Note:

This section applies only to the Bring your own OAuth 2.0 app authentication options.

Many organizations require the consent of an administrator before you create a connection to an external application. The admin consent workflow requires an admin to approve the app registration to specific users or groups before a connection is established. For more details, check Overview of admin consent workflow and User and admin consent in Microsoft Entra ID in the Microsoft documentation.

Note:

Integration Service impersonates the user that creates the connection. The credentials of the user offer access to all of the same resources that they have in the given application. If you share the connection, every change made to Microsoft SharePoint or OneDrive with that connection is made on behalf of that user.

Client Certificate Authentication

Scopes

The connector requires the following minimum scopes to create a connection: Mail.Read, User.Read.All, or User.Read.

The connector requires the following scopes for all activities to function: User.Read, User.Read.All, Mail.Read, Mail.Read.Shared, Mail.ReadWrite, Mail.ReadWrite.Shared, Mail.Send, Mail.Send.Shared, MailboxSettings.ReadWrite, Calendars.Read, Calendars.Read.Shared, Calendars.ReadWrite, Calendars.ReadWrite.Shared, profile, openid, email, and offline_access.

To add more granular permissions, refer to the activities documentation.

Adding the Microsoft Outlook 365 connection

To create a connection to your Microsoft Outlook 365 instance, proceed as follows:

In Automation Cloud, select Integration Service from the rail menu.
From the Connectors list, select Microsoft Outlook 365, or use the search bar to find the connector.
Select Connect to Microsoft Outlook 365, which redirects you to the connection page.
Select the Client Certificate Authentication authentication type.
Configure the following:
- Client ID - The ID from the Overview section of your Microsoft Azure application registration.
- Password for the certificate - The password you set during the certificate creation.
- OAuth base64 client certificate - The client certificate is generated in a .pfx file format, which you must convert to Base64-encoded format and provide it in this field.
- Tenant ID - The Microsoft Azure tenant ID for an app from the Overview section of your Microsoft Azure application registration.
- Environment - Optionally, select an environment from the dropdown list:
  - Office 365 (default)
  - US Government L4 - Public Sector domain
  - US Government L5 - Public Sector domain
  - ChinaSelect Office 365 (default) for all regions, and only switch to Government or China for cloud deployments. For more details on environments, check Microsoft Graph and Graph Explorer service root endpoints.
- Account - Enter the user principal name (UPN) of the account or shared mailbox that the system should use in the connection. This is required for the connection to be established.
Select Connect.
Authenticate with your Microsoft email address and password.

OAuth 2.0 Client credentials

Scopes

The minimum scopes required for creating a connection are the following: Mail.Read and User.Read.All

To add more granular permissions, refer to the activities documentation.

Adding the Microsoft Outlook 365 connection

To create a connection to your Microsoft Outlook 365 instance, perform the following steps:

In Automation Cloud, select Integration Service from the rail menu.
From the Connectors list, select Microsoft Outlook 365, or use the search bar to find the connector.
Select Connect to Microsoft Outlook 365, which redirects you to the connection page.
Enter the required credentials.
Note:
- You must provide the following: client ID, client secret, tenant ID, and the scopes you may need to interact with different activities. For more details check the previous Scopes section.
- If you are using a multi-tenant application, keep the default value common for the Tenant ID field.
- If you are using a single-tenant application, retrieve the tenant ID from Azure. For more details, check How to find your Microsoft Entra tenant ID.
Select Connect.
Authenticate with your Microsoft email address and password.

Bring your own OAuth 2.0 app

Overview

To learn how to create an application, go to the official Microsoft documentation and follow the described steps: Register an application with the Microsoft identity platform.

Note:

This is an advanced functionality and requires admin privileges in the target application. Work with your IT administrator to set up your application successfully.

Requirements

When creating your own application to use with Integration Service, you must consider the following requirements:

You must configure the application as a Multitenant or Single tenant application.
You must configure a Web application.
You must configure a Web Redirect URI. The Redirect URI, or callback URL, for your OAuth 2.0 application is provided in the authentication screen when creating a connection: https://{yourDomain}/provisioning_/callback.
You must set up delegated permissions. For more information, refer to Permissions in the Microsoft official documentation.
Generate a client secret for your application.
Important:
The advantage of using your private OAuth application is that you can customize permissions depending on your actual needs. To learn which scopes are required for each activity in the Microsoft 365 package, refer to Working with scopes and check out the activities documentation. The connector uses Microsoft Graph API. Refer to the Microsoft Graph permissions reference page for details on all permissions.

After you create your application, use the client ID and client secret to create a connection with the Microsoft connectors.

Scopes

The connector requires the following minimum scopes for creating a connection: openid, offline_access, Mail.Read.
Outlook triggers require the following minimum scopes:
- For shared mailbox triggers: openid, offline_access, Mail.Read, Mail.Read.Shared.
- For events on calendars: Calendars.Read.
- For events on shared calendars: Calendars.Read.Shared.

To add more granular permissions, refer to the activities documentation.

Adding the Microsoft Outlook 365 connection

To create a connection to your Microsoft Outlook 365 instance, proceed as follows:

In Automation Cloud, select Integration Service from the rail menu.
From the Connectors list, select Microsoft Outlook 365, or use the search bar to find the connector.
Select Connect to Microsoft Outlook 365, which redirects you to the connection page.
Select the Bring your own OAuth 2.0 app authentication type.
Configure the following:
- Client ID - The client ID from the Overview section of your Microsoft Azure application registration.
- Client secret - The client secret from the Certificates & secrets section of your Microsoft Azure application.
- Tenant ID - The Microsoft Azure Tenant ID for an app from the Overview section.
  Note:
  - If you use a multi-tenant application, keep the default value common.
  - If you use a single-tenant application, retrieve the tenant ID from Azure. For more details, check How to find your Microsoft Entra tenant ID.
- Environment - Optionally, select an environment from the dropdown list:
  - Office 365 (default)
  - US Government L4 - Public Sector domain
  - US Government L5 - Public Sector domain
  - ChinaSelect Office 365 (default) for all regions, and only switch to Government or China for cloud deployments. For more details on environments, check Microsoft Graph and Graph Explorer service root endpoints.
- Account - Represents the account used to impersonate a user. Specify the user principal name (UPN) of the account or shared mailbox to be used in connection. This is required for the connection to be established.
Select Connect.
Authenticate with your Microsoft email address and password.

Refresh tokens for OAuth applications

Refresh tokens for OAuth applications can be invalidated or revoked at any time by Microsoft. This can happen for different reasons, such as timeouts and revocations. For details, see Microsoft's official documentation.

Warning:

Token invalidation results in failed connections and automations are unable to run without fixing connections.

Make sure to follow best practices from Microsoft when creating your OAuth applications. For full details on how to create a Microsoft OAuth app, see the Microsoft documentation.

This issue affects not only the OneDrive & SharePoint connector, but all Microsoft Graph-based connectors, such as Outlook or Teams.