Microsoft 365 / OAuth


Full guide: User docs Microsoft 365
Codes: AADSTS codes
Symptom: “OAuth not configured” / 503 / 409
Cause: No Azure app saved in tenant setup (missing client ID + secret).
Steps: Setup → Microsoft 365 → enter client ID & secret → redirect URI = shown callback → Save → Hub Connect again.
Symptom: AADSTS500113 — No reply address is registered
Cause: The Entra app matching the saved client ID has no Web redirect URI — or the URI was added to a different app than the client ID in LIRENO.
Steps:
- Note the Application (client) ID in LIRENO Setup
- Entra → App registrations → search that ID (not only the display name)
- Authentication → platform Web
- Enter exactly (dev example):
https://api.dev.lireno.ch/api/v1/integrations/microsoft365/oauth/callback - Save → Hub Connect again
Common mistake: New app M365-4-LIRENO got the URI, but LIRENO still has an older client ID. Either add the URI to the old app or save the new client ID + new secret in LIRENO.
Symptom: Authenticator OK, then Microsoft error page
Cause: MFA succeeded; failure is on redirect (usually missing/wrong reply address or wrong app).
Steps: Same as AADSTS500113; keep Request/Correlation Id.
Symptom: “Signed in at Microsoft”, hub not connected
Cause: Entra portal login ≠ LIRENO hub OAuth.
Steps: Integrations hub → Microsoft 365 → Connect (step C).
Symptom: Consent / permissions missing
Cause: Graph scopes or admin consent missing.
Steps: Add Contacts.ReadWrite, offline_access, openid, profile, email → admin consent → Connect again.
Symptom: After Azure app change all companies offline
Cause: Tokens belong to the old app.
Steps: Re-Connect each company in the hub.
Symptom: Secret expired
Cause: Client secret expired in Entra.
Steps: New secret in Entra → paste into LIRENO Setup → save → reconnect hub.
When to contact support
Request Id + Correlation Id + Timestamp · Client ID (never the secret) · Tenant number · Dev or Prod callback
