Skip to main content

New Page

Setup Instructions for OxfordIQ Outlook Integration (Entra ID App Registration)

As Global Administrator in your hybrid M365 environment, here is the exact process to complete the steps in the table from the screenshot. This creates a dedicated App Registration so OxfordIQ can use OAuth to let each user connect their own Outlook account (delegated access for sending mail and managing calendars).

  1. Create the App Registration

    • Go to Microsoft Entra admin center → IdentityApplicationsApp registrations+ New registration.
    • Name: e.g., “OxfordIQ Outlook Integration”.
    • Supported account types: Accounts in this organizational directory only (single-tenant – recommended for internal use).
    • Redirect URI: Leave blank for now (OxfordIQ/Replit will provide the exact URI later if needed).
    • Click Register.
    • Reasoning: This registers OxfordIQ as a trusted application in your tenant. Single-tenant keeps it scoped to your organization only, which is appropriate since users are connecting their own work accounts.

  2. Grant API Permissions (Delegated)

    • In the new app → API permissions+ Add a permissionMicrosoft GraphDelegated permissions.
    • Search and add:
      • Mail.Send
      • Calendars.ReadWrite
      • (plus any others Joe listed, such as User.Read, offline_access, openid, profile).
    • Click Add permissions.
    • Reasoning: These are the exact delegated scopes needed so each user can grant OxfordIQ permission to act on their mailbox and calendar only when they click “Connect Outlook”. Delegated permissions tie the access to the individual signed-in user.

  3. Grant Admin Consent for the Organization (Optional but Recommended)

    • Still on the API permissions tab → click Grant admin consent for [your tenant] → confirm.
    • Reasoning: This pre-approves the permissions at the tenant level so individual users don’t see extra consent prompts when they connect. It is safe to do because the permissions remain delegated (user-scoped).

  4. Copy Client ID + Generate Client Secret

    • Go to the app’s Overview tab → copy the Application (client) ID.
    • Go to Certificates & secrets+ New client secret → set description and expiration (e.g., 12 months) → copy the Value immediately (it will never be shown again).
    • Reasoning: OxfordIQ needs both the Client ID (public) and Client Secret (private) to complete the OAuth token exchange on their backend when users connect their accounts.

  5. Provide the Values to OxfordIQ

    • Send only the Client ID and Client Secret to the OxfordIQ team (or to the service account oxfordiq@oxfordcompanies.com that Tyler mentioned).
    • Do not share the secret via unsecured channels.
    • Reasoning: This is the “Copy Client ID + Client Secret into OxfordiQ” step. Once provided, users can click “Connect Outlook” inside iQ and complete the per-user consent.

After these steps, the integration is ready on your side. Replit/OxfordIQ will handle the rest of the OAuth flow.

Back to top