Creating a Microsoft 365 app registration for the Microsoft 365 extension

The CloudRadial AutomationAI Microsoft 365 extension connects to Microsoft 365 and Microsoft Entra ID through Microsoft Graph using an app-only (client-credentials) token, so it runs unattended with no signed-in user. This article is for Admins and Owners and explains how to stand up the Microsoft Entra ID app registration the extension uses and how to hand its credentials to your runner.

• How the Extension Authenticates
• Create the App Registration
• Record the Application and Directory IDs
• Create a Client Secret
• Add and Admin-Consent Microsoft Graph Application Permissions
• Provide the Credentials to Your Runner
• What This Extension Can't Do via Graph

How the Extension Authenticates

The extension calls Microsoft Graph (https://graph.microsoft.com/v1.0) with an app-only token acquired through the client-credentials flow. The token is built from three credentials your runner supplies from its Key Vault. The extension never asks a user for these credentials, so you create them once in Microsoft Entra ID and store them in the runner Key Vault.

Create the App Registration

In the Microsoft Entra admin center, create a new app registration. This is a standard Microsoft step:

1. Open the Microsoft Entra admin center and go to app registrations.
2. Select to register a new application.
3. Give it a name you will recognize, such as AutomationAI Microsoft 365.
4. Register the application. Because the extension uses app-only authentication, you do not need to configure a redirect URI.

Record the Application and Directory IDs

On the app registration's Overview page, record two values:

• The Application (client) ID — the GUID of the app registration
• The Directory (tenant) ID — your Entra tenant ID GUID (a verified domain also works)

You will store these as the M365-ClientID and M365-TenantID secrets.

Create a Client Secret

Under the app registration's Certificates & secrets, create a new client secret and copy its value immediately, before you leave the page. This value becomes the M365-ClientSecret secret. Microsoft shows a client secret value only once.

Add and Admin-Consent Microsoft Graph Application Permissions

Grant the app the Microsoft Graph application permissions it needs, then admin-consent them. Adding API permissions and granting admin consent are standard Microsoft steps; do them under the app registration's API permissions.

• Add Microsoft Graph application permissions — for example User.ReadWrite.All and Directory.ReadWrite.All
• Grant admin consent for the tenant so the application permissions take effect

Choose the permissions to match the operations you intend to run. The extension's read operations are unrestricted, and every mutating operation is gated by approval before it runs.

Provide the Credentials to Your Runner

Place the three credentials in your runner's Key Vault under these exact secret names:

• M365-ClientID — the Application (client) ID GUID of the app registration
• M365-TenantID — your Entra tenant ID GUID (or a verified domain)
• M365-ClientSecret — the client secret value you created

The runner supplies these to the extension at run time. The extension never asks a user for them and never places them in tool input.

What This Extension Can't Do via Graph

Not every mailbox operation is available through Microsoft Graph. The extension can set a mailbox automatic reply (out-of-office) through Graph, but the following are not Graph operations and must be performed through Exchange Online:

• SMTP mailbox forwarding
• Delegate permissions — full-access and send-as
• Conversion of a mailbox to a shared mailbox

These are carried out with Exchange Online PowerShell — for example Set-Mailbox for forwarding and shared-mailbox conversion, and Add-MailboxPermission (full access) or Add-RecipientPermission (send-as) for delegate permissions — or through the Exchange admin center.