Skip to main content

Overview

CrewAI supports integration with Microsoft 365 applications including Outlook (email and calendar), OneDrive, Teams, SharePoint, Excel, and Word. This guide walks you through setting up OAuth credentials in the Azure portal to enable these integrations.

Prerequisites

  • Access to your organization’s Azure portal (most organizations using Microsoft 365 already have this)
  • Permissions to create app registrations in your Azure tenant
  • Admin consent capability for granting API permissions (may require your Microsoft 365 or Azure administrator)

Azure App Registration Setup

Step 1: Navigate to App Registrations

  1. Sign in to the Azure Portal
  2. Search for App registrations in the top search bar
  3. Click New registration

Step 2: Register Your Application

  1. Name: Enter a name for your application (e.g., “CrewAI Integration”)
  2. Supported account types: Select the appropriate option:
OptionDescriptionUse Case
Single tenantOnly accounts in your organizationEnterprise deployment with internal users only
MultitenantAccounts in any organizational directoryEnterprise deployment with external collaborators
Multitenant + personalAny organizational or personal Microsoft accountsBroadest access including personal accounts
For most enterprise deployments, select Accounts in this organizational directory only (single tenant) for better security control.
If you select single tenant, you’ll need to configure your Directory (tenant) ID in CrewAI. See Configure CrewAI Helm Values below.
  1. Redirect URI:
    • Select Web as the platform
    • Add redirect URIs for each Microsoft integration you want to enable: Default configuration (NGINX with shared hostname): 
      https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_outlook/callback
https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_onedrive/callback
https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_teams/callback
https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_sharepoint/callback
https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_excel/callback
https://<YOUR_APPLICATION_HOST>/oauthsvc/oauth/microsoft_word/callback
      Separate OAuth hostname (GKE/ALB with path: "/"): 
      https://<YOUR_OAUTH_HOST>/oauth/microsoft_outlook/callback
https://<YOUR_OAUTH_HOST>/oauth/microsoft_onedrive/callback
https://<YOUR_OAUTH_HOST>/oauth/microsoft_teams/callback
https://<YOUR_OAUTH_HOST>/oauth/microsoft_sharepoint/callback
https://<YOUR_OAUTH_HOST>/oauth/microsoft_excel/callback
https://<YOUR_OAUTH_HOST>/oauth/microsoft_word/callback
    When using GKE’s native ingress or a separate OAuth hostname with oauth.ingress.path: "/", the /oauthsvc prefix is not included. See OAuth Ingress Path Configuration.
  2. Click Register

Step 3: Note Your Application Credentials

After registration, you’ll be taken to the app’s overview page. Note the following values:
  • Application (client) ID: This is your Client ID
  • Directory (tenant) ID: Your organization’s tenant ID

Configure API Permissions

Step 1: Add Microsoft Graph Permissions

  1. In your app registration, click API permissions in the left sidebar
  2. Click Add a permission
  3. Select Microsoft Graph
  4. Select Delegated permissions
  5. Add the permissions required for your integrations (see Required Scopes below)
  6. Click Add permissions
Some permissions require admin consent. If you have admin privileges:
  1. Click Grant admin consent for [Your Organization]
  2. Click Yes to confirm
If you don’t have admin privileges, you’ll need to request consent from your organization’s Microsoft 365 or Azure administrator. Without admin consent, some integrations may not work properly.

Create Client Secret

Step 1: Generate a New Secret

  1. In your app registration, click Certificates & secrets in the left sidebar
  2. Under Client secrets, click New client secret
  3. Enter a description (e.g., “CrewAI Production”)
  4. Select an expiration period:
    • 6 months - More secure, requires regular rotation
    • 12 months - Balance of security and convenience
    • 24 months - Less maintenance, but less secure
  5. Click Add

Step 2: Save the Secret Value

Important: Copy the secret Value immediately. It will only be shown once. If you navigate away without copying it, you’ll need to create a new secret.
Store the Client ID and Client Secret securely for CrewAI configuration.

Required Scopes per Integration

The following permissions should be added to your app registration. All integrations require the base permissions, plus integration-specific permissions.

Base Permissions (Required for All)

PermissionTypeDescription
offline_accessDelegatedMaintain access to data (refresh tokens)
openidDelegatedSign users in
profileDelegatedView users’ basic profile
User.ReadDelegatedSign in and read user profile

Microsoft Outlook (Email)

PermissionTypeDescription
Mail.ReadDelegatedRead user mail
Mail.ReadWriteDelegatedRead and write user mail
Mail.SendDelegatedSend mail as the user

Microsoft Outlook (Calendar)

PermissionTypeDescription
Calendars.ReadDelegatedRead user calendars
Calendars.ReadWriteDelegatedRead and write user calendars

Microsoft OneDrive

PermissionTypeDescription
Files.ReadDelegatedRead user files
Files.ReadWriteDelegatedRead and write user files
Files.ReadWrite.AllDelegatedFull access to all files user can access

Microsoft Teams

PermissionTypeDescriptionAdmin Consent
ChannelMessage.Read.AllDelegatedRead channel messagesYes
Chat.ReadDelegatedRead user chat messagesNo
Chat.ReadWriteDelegatedRead and write user chat messagesNo
Team.ReadBasic.AllDelegatedRead basic team infoNo
TeamMember.Read.AllDelegatedRead team membersYes
Teams integration requires admin consent for some permissions. Ensure your organization’s Microsoft 365 or Azure administrator grants consent for the app.

Microsoft SharePoint

PermissionTypeDescription
Sites.Read.AllDelegatedRead items in all site collections
Sites.ReadWrite.AllDelegatedRead and write items in all site collections

Microsoft Excel

PermissionTypeDescription
Files.ReadWrite.AllDelegatedFull access to user files
Sites.ReadWrite.AllDelegatedAccess SharePoint sites (for Excel files in SharePoint)

Microsoft Word

PermissionTypeDescription
Files.ReadWrite.AllDelegatedFull access to user files
Sites.ReadWrite.AllDelegatedAccess SharePoint sites (for Word files in SharePoint)

Complete Permissions Summary

Here’s a consolidated view of all permissions needed for full Microsoft 365 integration:
PermissionRequired For
offline_accessAll integrations
openidAll integrations
profileAll integrations
User.ReadAll integrations
Mail.ReadOutlook (email)
Mail.ReadWriteOutlook (email)
Mail.SendOutlook (email)
Calendars.ReadOutlook (calendar)
Calendars.ReadWriteOutlook (calendar)
Files.ReadOneDrive
Files.ReadWriteOneDrive
Files.ReadWrite.AllOneDrive, Excel, Word
Sites.Read.AllSharePoint
Sites.ReadWrite.AllSharePoint, Excel, Word
ChannelMessage.Read.AllTeams
Chat.ReadTeams
Chat.ReadWriteTeams
Team.ReadBasic.AllTeams
TeamMember.Read.AllTeams

Configure CrewAI Helm Values

After obtaining your OAuth credentials, configure them in your CrewAI Helm values: 
oauth:
  enabled: true
  secrets:
    microsoft:
      clientId: "your-application-client-id"
      clientSecret: "your-client-secret-value"

Single-Tenant Configuration

If you registered your Azure app as single tenant (recommended for enterprise), you must also configure your Directory (tenant) ID: 
oauth:
  enabled: true
  secrets:
    microsoft:
      clientId: "your-application-client-id"
      clientSecret: "your-client-secret-value"
      tenantId: "your-directory-tenant-id"
Find your Directory (tenant) ID on your app registration’s overview page in the Azure Portal.
If tenantId is not configured, CrewAI uses Microsoft’s multi-tenant endpoint (common), which allows users from any Microsoft 365 organization to connect their accounts.

Product-Specific Configuration

You can configure different credentials or tenant IDs for specific Microsoft services if needed: 
oauth:
  secrets:
    microsoft:
      # Shared credentials (used as fallback)
      clientId: "shared-client-id"
      clientSecret: "shared-client-secret"
      tenantId: "shared-tenant-id"

      # Product-specific overrides (optional)
      outlook:
        clientId: "outlook-specific-client-id"
        clientSecret: "outlook-specific-client-secret"
        tenantId: "outlook-specific-tenant-id"
      teams:
        clientId: "teams-specific-client-id"
        clientSecret: "teams-specific-client-secret"
        tenantId: "teams-specific-tenant-id"
      onedrive:
        clientId: "onedrive-specific-client-id"
        clientSecret: "onedrive-specific-client-secret"
        tenantId: "onedrive-specific-tenant-id"
      sharepoint:
        clientId: "sharepoint-specific-client-id"
        clientSecret: "sharepoint-specific-client-secret"
        tenantId: "sharepoint-specific-tenant-id"
      excel:
        clientId: "excel-specific-client-id"
        clientSecret: "excel-specific-client-secret"
        tenantId: "excel-specific-tenant-id"
      word:
        clientId: "word-specific-client-id"
        clientSecret: "word-specific-client-secret"
        tenantId: "word-specific-tenant-id"
See Built-in Integrations Configuration for complete configuration options.

Troubleshooting

Common Issues

“AADSTS650052: The app needs access to a service”
  • Ensure all required permissions are added to the app registration
  • Grant admin consent for permissions that require it
“AADSTS700016: Application not found”
  • Verify the Client ID is correct
  • Ensure the app registration exists in the correct Azure tenant
“AADSTS7000215: Invalid client secret”
  • The client secret may have expired
  • Create a new client secret and update your configuration
Refresh token expires frequently
  • Ensure offline_access permission is granted
  • Check token lifetime policies in your Azure tenant