Skip to main content
Matrix42 Self-Service Help Center

E-mail Robot tenant configuration for Microsoft 365 service connection

To register DWP for Microsoft 365 Service Connections integration, start with registering DWP at the Microsoft identity platform.

  1. On the Microsoft Azure Portal home page, go to the Azure services section or use the Search resources search bar and open App registrations.
    Microsoft Azure Portal: App registrations

  2. Provide a Name for the application. The DWP users will see the display name when applying the Setup Authentication for the configured Service Connection.
  3. Choose Supported account types.
  4. Add a Redirect URI: select Web and enter Redirect URI, for instance, https://{your_domain_name}/wm/externalAuth/redirect.html.
  5. Click Register.
    Microsoft Azure Portal: Register an application
  6. Click on your new App Registration (in our example it is DWP App) and go to the Overview section. Here you can find the following data for the E-mail Robot tenant configuration in DWP Service Connections:
    Microsoft Azure Portal Application field name DWP tenant configuration field name
    Application (client) ID Client ID
    Directory (tenant) ID  Tenant

  7. Enter the data to the corresponding fields in the Administration application → Integration → Service Connections → Tenants configuration:
  8. In your registered application, go to the Certificates & secrets section and click + New client secret. Provide a description and then copy the value of the generated Client secret because later it will be encrypted and shown in the Certificates & secrets section as on the image below.
  9. Enter the copied Client secret value in the E-mail Robot tenant configuration in DWP Service Connections:
  10. Add API permissions. API Permissions can be configured in either Delegated or Application mode:
    • Delegated mode permissions are used together with DWP Service Connections.
    • Application (standalone) mode permissions are used with direct E-mail Robot configuration for Exchange / Office 365 and Exchange / Microsoft Graph connection types.

    Required API Permissions depend on E-mail Robot mailbox connection type and authentication mode: direct or Service Connection.

    1. For Exchange / Microsoft Graph connection type using Service Connection, in your registered application, go to the API permissions section and click + Add a permission, choose Microsoft Graph > Delegated permissions > Mail.ReadWrite.Shared and click Add permissions.

      Exchange / Microsoft Graph connection with Service Connection in delegated mode can only access mailboxes (personal and shared) which are available to the user who is authenticated for the Service Connection (the user logged in while performing "Setup Authentication" action before saving Service Connection).

    2. For Exchange / Microsoft Graph connection type using direct configuration, in your registered application, go to the API permissions section and click + Add a permission, choose Microsoft Graph > Application permissions Mail.ReadWrite and click Add permissions. Then click Grant admin consent for <organization> and accept the consent dialog.

      A Service Connection can also be configured using application mode permissions. In this case any mailbox of any user in the company can be accessed by E-mail Robot


    Azure Portal does not provide Office 365 Exchange Online permissions in permission list for new Application registrations. Required permissions are provided by manual editing of Application Manifest.

  11. Add the corresponding permissions to the Scope area for your Service provider configuration: open the Administration application > Integration Service Connections > Services > Microsoft 365 > Capabilities section > Scope.
    • For Exchange / Microsoft Graph: 
    • For Exchange / Office 365 (EWS): 


For more information on how to add a scope, see also Microsoft Documentation Quickstart: Configure an application to access a web API.