---
title: "Microsoft 365 Email Setup with OAuth 2.0 in SysAid Spaces"
slug: "microsoft-365-email-setup-with-oauth-20-in-sysaid"
description: "You can set up email integration with the OAuth 2.0 protocol with Microsoft 365 or.The instructions below can be applied to incoming or outcoming email integration or both."
updated: 2026-01-21T09:03:02Z
published: 2026-01-21T09:03:02Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://documentation.sysaid.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft 365 Email Setup with OAuth 2.0 in SysAid Spaces

You can set up email integration with the OAuth 2.0 protocol with Microsoft 365 or [Google](https://documentation.sysaid.com/v1/docs/google-email-integration-with-oauth-2-0). The instructions below can be applied to incoming or outgoing email integration or both.

> [!NOTE]
> Please note:
> 
> - This article is for customer using SysAid Spaces. If you’re using SysAid Classic, please see [Microsoft 365 Email Setup with OAuth 2.0 in SysAid Classic](https://documentation.sysaid.com/docs/microsoft-365-email-setup-with-oauth-20-in-sysaid-classic).
> - We recommend that you limit the application's access to specific mailboxes by creating an application access policy. For more information, see [Microsoft Ignite](https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac#configure-applicationaccesspolicy).

## **Setting up outgoing and incoming email**

To set up Microsoft 365 as outgoing and incoming email:

1. In SysAid, go to **Settings** > **Setup** >**Email**.
2. Click **+ Create New**.
3. Under **Incoming Email**, toggle on**Enable mailbox**.
4. From the **Protocol** drop-down, select **OAuth 2.0**.
5. From the **Service provider** drop-down, select **Microsoft.** ![](https://cdn.document360.io/52d3cb6c-cc81-43c2-b6f7-cbabcb449271/Images/Documentation/image-QRFOZGB4.png)
6. Register your application in Entra:
  1. In your Microsoft 365 account, navigate to **Active Directory** > **App registrations**.
  2. Click **New registration**.
  3. Enter a name for your application.
  4. In the supported account types, select the single tenant option.
  5. (Optional) Select a platform configuration.
  6. Click **Register**.
7. Get Client secret:
  1. In **App registrations**, navigate to **Certificates & secrets**.
  2. Click **New Client secret**.
  3. Enter a description.
  4. In the Expires area, select **24 Months**.
  5. Click **Add**.
  6. Copy the generated secret from the **Value** column.
  7. Back in the SysAid email integration form, paste the secret in the **Client secret** field.
8. Set up API permission:
  1. Back in Entra, navigate to **API permissions** and click **Add a permission**.
  2. Choose**Microsoft Graph**. ![](https://lh7-rt.googleusercontent.com/docsz/AD_4nXeEq232eAUQn3arCYm5lte5bkZ_Y4LG5Eh1uqdXKhSsdfjNDt7SDdnPoyDM_6QTvba3LWyZKB-8NkAay4Ty3Pv9ZkEn3O8aSIXuhCvttWmEkNJF1xm8jTJjVIOBeyANE71xRzXbDg?key=VOa-l59P14W-CjhScur90A)
  3. Click **Delegated Permissions**.
  4. Check the*User.Read* permission. ![](https://lh7-rt.googleusercontent.com/docsz/AD_4nXcFfn8qSq2qbsFPqoAyXZhEskqRIIk6j4HGGLqzkNpOg28hCO2S9HmMP-lJn0G-Ra9bErGE5j7EYuk9B9rsScDyqP8EgMWasQHjDpaULknc1SW0A5ZWmArnkdk4I3aV999Hegd3jQ?key=VOa-l59P14W-CjhScur90A)
  5. Click **Add Permissions**.
  6. Click **Application Permissions**add the following permissions:

> [!TIP]
> Tip!
> 
> To see all avilable permissions and learn more about each permission, go to [Microsoft Learns](https://learn.microsoft.com/en-us/graph/permissions-reference).
    - *Calendars.ReadWrite*: Allows the app to create, read, update, and delete events of all calendars without a signed-in user.
    - *Mail.ReadWrite*: Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail.
    - *Mail.Send*: Allows the app to send mail as any user without a signed-in user.
    - *User.Read.All*: Allows the app to read user profiles without a signed-in user.
  7. Click **Add Permissions**.
  8. Click **Application Permissions**.
  9. Click **Grant admin consent for** **<domain name>**.
  10. Click **Yes**.
9. Copy the Tenant ID and Client ID:
  1. In **Azure Active Directory**, navigate to **App registrations** and select the app you just set up.
  2. Copy the **Application (client) ID** and paste it into the **Client ID** field in the SysAid email integration form.
  3. Copy the **Directory (tenant) ID** and paste it into the **Tenant ID** field in the SysAid email integration form. ![EmailFormfilesOAuthCodes1.jpg](https://lh7-rt.googleusercontent.com/docsz/AD_4nXdnaCs0vrQgtA9bHGpx7mqC1HMunUa3JIAEGKKH7xI8kn7mJJiF4cWQRlM4K99zAHq_Ru6QM0B0UK35abeyUll_o2YHvVv8I-PPD8eLI75R_5COFdu2eSf4hBkuXH7gTZOQE61T?key=VOa-l59P14W-CjhScur90A)
10. In your email inbox settings, navigate to **General** > **Language** and Time and ensure that the value of the Current Time Zone field reflects the appropriate time zone for your account.
11. Follow the instructions in the relevant links below to fill out the rest of the email form. Be sure that the inbox that you set up for incoming email integration is dedicated specifically for incoming email integration with SysAid and not used for any other purposes.

### Email processing behavior

When Microsoft 365 Email Integration with OAuth 2.0 is enabled in SysAid, it continuously monitors the integrated mailbox for new incoming emails.

All emails sent to the integrated email address are automatically processed by SysAid and used to create service records. Once an email is successfully processed, it is removed from the mailbox to prevent duplicate service record creation.

Due to [Microsoft 365 OAuth 2.0 policies](https://learn.microsoft.com/en-us/exchange/security-and-compliance/recoverable-items-folder/recoverable-items-folder), emails deleted by automated integrations are not moved to the standard **Deleted Items** folder. Instead, they are placed in the **Recoverable Items** folder. This behavior is by design and enforced by Microsoft as part of their OAuth 2.0 implementation.

#### Viewing processed emails

To locate emails that were processed and removed from the mailbox, open the **Deleted Items** folder in Outlook and click **Recoverable Items** at the top of the folder.

Processed emails are retained in the **Recoverable Items** folder for **30 days**, the same retention period as the Deleted Items folder.

#### Keeping a copy of incoming emails (optional)

If you want to retain a visible copy of all incoming emails, you can configure SysAid to save copies to a dedicated folder.

To do this, go to **Settings** > **Setup** > **Email** > **Incoming Email**and fill in the **Send a copy of the incoming emails to field** (available for Enterprise editions only). When configured, SysAid will store a copy of each incoming email in the selected folder instead of relying on the Recoverable Items location.

To learn more, see [Incoming Email Integration Form](https://documentation.sysaid.com/docs/incoming-email-integration-form#incoming-email-settings).

### Allowing admins to send messages from their personal email profiles

This option allows agents to select their personal email profiles (listed in their user profile under **User Management**) as the "from" address when they send emails. This allows them to communicate directly with end users via their own email account, rather than through an impersonal service desk profile.

**To allow admins to send messages from their personal email profiles:**

1. In your SysAid account, go to **Settings** > **Setup** > **Email** and click on **Advanced options**.
2. Select the **Allow admins to send messages from their personal email profiles** checkbox.
3. Go to your [Exchange admin center](https://admin.cloud.microsoft/exchange#/).
4. Navigate to **Recipients** > **Mailboxes**and search for and click on the relevant user**.**
5. Go to the**Delegation** tab and under the **Send as**section, click **Edit**.
6. Check the checkbox whose email matches the one you’ve configured for the Auth 2.0 email integration.

This process must be repeated for every team member who wants to use their personal email to communicate with an end user.

## Switching from Basic authentication with Client Submission (SMTP AUTH) to OAuth 2.0

If you’ve been using Microsoft Basic authentication with Client Submission (SMTP AUTH) and would like to switch to Microsoft OAuth 2.0 due to the [deprecation of the method,](https://techcommunity.microsoft.com/blog/exchange/exchange-online-to-retire-basic-auth-for-client-submission-smtp-auth/4114750) please watch the video below.

[Embedded content](https://player.vimeo.com/video/1149184391)

## Related

- [Microsoft 365 Email Setup with OAuth 2.0 in SysAid Classic](/microsoft-365-email-integration-with-oauth-2-0-classic.md)
- [Incoming Email Integration Form in Classic](/incoming-email-integration-form.md)