Overview
CrewAI supports integration with Microsoft 365 applications including Outlook (email and calendar), OneDrive, Teams, SharePoint, Excel, and Word. This guide walks you through setting up OAuth credentials in Microsoft Entra ID (formerly Azure Active Directory) to enable these integrations.
Prerequisites
- An Azure account with access to Microsoft Entra ID
- Permissions to create app registrations in your Azure tenant
- Admin consent capability for granting API permissions (may require Azure AD admin)
Azure App Registration Setup
Step 1: Navigate to App Registrations
- Sign in to the Azure Portal
- Search for and select Microsoft Entra ID (or Azure Active Directory)
- In the left sidebar, click App registrations
- Click New registration
Step 2: Register Your Application
- Name: Enter a name for your application (e.g., “CrewAI Integration”)
- Supported account types: Select the appropriate option:
| Option | Description | Use Case |
|---|
| Single tenant | Only accounts in your organization | Enterprise deployment with internal users only |
| Multitenant | Accounts in any organizational directory | Enterprise deployment with external collaborators |
| Multitenant + personal | Any organizational or personal Microsoft accounts | Broadest access including personal accounts |
For most enterprise deployments, select Accounts in this organizational directory only (single tenant) for better security control.
-
Redirect URI:
- Select Web as the platform
- Add redirect URIs for each Microsoft integration you want to enable:
https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_outlook/callback
https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_onedrive/callback
https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_teams/callback
https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_sharepoint/callback
https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_excel/callback
https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_word/callback
- Replace
<YOUR_APPLICATION_HOST> with your CrewAI application domain
-
Click Register
Step 3: Note Your Application Credentials
After registration, you’ll be taken to the app’s overview page. Note the following values:
- Application (client) ID: This is your Client ID
- Directory (tenant) ID: Your Azure AD tenant ID
Step 1: Add Microsoft Graph Permissions
- In your app registration, click API permissions in the left sidebar
- Click Add a permission
- Select Microsoft Graph
- Select Delegated permissions
- Add the permissions required for your integrations (see Required Scopes below)
- Click Add permissions
Step 2: Grant Admin Consent
Some permissions require admin consent. If you have admin privileges:
- Click Grant admin consent for [Your Organization]
- Click Yes to confirm
If you don’t have admin privileges, you’ll need to request consent from your Azure AD administrator. Without admin consent, some integrations may not work properly.
Create Client Secret
Step 1: Generate a New Secret
-
In your app registration, click Certificates & secrets in the left sidebar
-
Under Client secrets, click New client secret
-
Enter a description (e.g., “CrewAI Production”)
-
Select an expiration period:
- 6 months - More secure, requires regular rotation
- 12 months - Balance of security and convenience
- 24 months - Less maintenance, but less secure
-
Click Add
Step 2: Save the Secret Value
Important: Copy the secret Value immediately. It will only be shown once. If you navigate away without copying it, you’ll need to create a new secret.
Required Scopes per Integration
The following permissions should be added to your app registration. All integrations require the base permissions, plus integration-specific permissions.
Base Permissions (Required for All)
| Permission | Type | Description |
|---|
offline_access | Delegated | Maintain access to data (refresh tokens) |
openid | Delegated | Sign users in |
profile | Delegated | View users’ basic profile |
User.Read | Delegated | Sign in and read user profile |
Microsoft Outlook (Email)
| Permission | Type | Description |
|---|
Mail.Read | Delegated | Read user mail |
Mail.ReadWrite | Delegated | Read and write user mail |
Mail.Send | Delegated | Send mail as the user |
Microsoft Outlook (Calendar)
| Permission | Type | Description |
|---|
Calendars.Read | Delegated | Read user calendars |
Calendars.ReadWrite | Delegated | Read and write user calendars |
Microsoft OneDrive
| Permission | Type | Description |
|---|
Files.Read | Delegated | Read user files |
Files.ReadWrite | Delegated | Read and write user files |
Files.ReadWrite.All | Delegated | Full access to all files user can access |
Microsoft Teams
| Permission | Type | Description | Admin Consent |
|---|
ChannelMessage.Read.All | Delegated | Read channel messages | Yes |
Chat.Read | Delegated | Read user chat messages | No |
Chat.ReadWrite | Delegated | Read and write user chat messages | No |
Team.ReadBasic.All | Delegated | Read basic team info | No |
TeamMember.Read.All | Delegated | Read team members | Yes |
Teams integration requires admin consent for some permissions. Ensure your Azure AD administrator grants consent for the app.
Microsoft SharePoint
| Permission | Type | Description |
|---|
Sites.Read.All | Delegated | Read items in all site collections |
Sites.ReadWrite.All | Delegated | Read and write items in all site collections |
Microsoft Excel
| Permission | Type | Description |
|---|
Files.ReadWrite.All | Delegated | Full access to user files |
Sites.ReadWrite.All | Delegated | Access SharePoint sites (for Excel files in SharePoint) |
Microsoft Word
| Permission | Type | Description |
|---|
Files.ReadWrite.All | Delegated | Full access to user files |
Sites.ReadWrite.All | Delegated | Access SharePoint sites (for Word files in SharePoint) |
Complete Permissions Summary
Here’s a consolidated view of all permissions needed for full Microsoft 365 integration:
| Permission | Required For |
|---|
offline_access | All integrations |
openid | All integrations |
profile | All integrations |
User.Read | All integrations |
Mail.Read | Outlook (email) |
Mail.ReadWrite | Outlook (email) |
Mail.Send | Outlook (email) |
Calendars.Read | Outlook (calendar) |
Calendars.ReadWrite | Outlook (calendar) |
Files.Read | OneDrive |
Files.ReadWrite | OneDrive |
Files.ReadWrite.All | OneDrive, Excel, Word |
Sites.Read.All | SharePoint |
Sites.ReadWrite.All | SharePoint, Excel, Word |
ChannelMessage.Read.All | Teams |
Chat.Read | Teams |
Chat.ReadWrite | Teams |
Team.ReadBasic.All | Teams |
TeamMember.Read.All | Teams |
oauth:
enabled: true
secrets:
microsoft:
clientId: "your-application-client-id"
clientSecret: "your-client-secret-value"
oauth:
secrets:
microsoft:
# Shared credentials (used as fallback)
clientId: "shared-client-id"
clientSecret: "shared-client-secret"
# Product-specific overrides (optional)
outlook:
clientId: "outlook-specific-client-id"
clientSecret: "outlook-specific-client-secret"
teams:
clientId: "teams-specific-client-id"
clientSecret: "teams-specific-client-secret"
onedrive:
clientId: "onedrive-specific-client-id"
clientSecret: "onedrive-specific-client-secret"
sharepoint:
clientId: "sharepoint-specific-client-id"
clientSecret: "sharepoint-specific-client-secret"
excel:
clientId: "excel-specific-client-id"
clientSecret: "excel-specific-client-secret"
word:
clientId: "word-specific-client-id"
clientSecret: "word-specific-client-secret"
Troubleshooting
Common Issues
“AADSTS650052: The app needs access to a service”
- Ensure all required permissions are added to the app registration
- Grant admin consent for permissions that require it
“AADSTS700016: Application not found”
- Verify the Client ID is correct
- Ensure the app registration exists in the correct Azure AD tenant
“AADSTS7000215: Invalid client secret”
- The client secret may have expired
- Create a new client secret and update your configuration
Refresh token expires frequently
- Ensure
offline_access permission is granted
- Check Azure AD token lifetime policies in your tenant
