Microsoft 365 / Outlook



Audience: Tenant, fiduciary, IT
Feature: typically from Professional plan (microsoft365)
In 60 seconds
| Question | Answer |
|---|---|
| What is tenant setup? | Sync rules + your Azure app for this tenant (MND-…) |
| What is it not? | The Outlook sign-in — that happens per company in the hub |
| Where are secrets stored? | Encrypted in the LIRENO database |
Three layers
- LIRENO ops — fixed API OAuth callback
- Tenant — Setup → Microsoft 365 (client ID, secret, policy)
- Company — Hub → Connect (Outlook login)
Rule of thumb: Setup = prepare per tenant. Hub = sign in per company.
Step A — Azure app (Microsoft Entra)
- New app registration
- Name e.g.
M365-4-LIRENO - Account type: Single tenant (typical)
- Redirect URI: platform Web (not SPA)
- URL exactly as shown in LIRENO:
Dev: https://api.dev.lireno.ch/api/v1/integrations/microsoft365/oauth/callback
Prod: https://api.lireno.ch/api/v1/integrations/microsoft365/oauth/callback
Then copy Application (client) ID, create a client secret, add Graph delegated permissions openid, profile, email, offline_access, Contacts.ReadWrite, grant admin consent, note Directory (tenant) ID.
Step B — Save in LIRENO
Path: Setup → Microsoft 365 → save client ID, secret, redirect URI, tenant ID.
Leave secret empty later = keep stored secret.
Step C — Connect Outlook per company
Path: Integrations hub → Microsoft 365 → Connect → sync contacts.
Checklist
- [ ] Professional or Enterprise
- [ ] Entra app platform Web
- [ ] Redirect URI exact match
- [ ] Client ID in LIRENO = same Entra app
- [ ] Secret saved
- [ ] Hub connect OK
Errors? → Troubleshooting Microsoft 365 · AADSTS codes
