Outlook Connector Setup
Index Outlook emails and events by creating a dedicated App Registration with the appropriate permissions.
Setup Checklist
Before starting, ensure you have:
- Azure Global Administrator or Cloud Application Administrator role
- Microsoft 365 licensing for Outlook content
- Certificate generated (see Certificate Generation Guide)
- Active Atolio deployment
Required API Permissions
Step 1: Create App Registration
- Navigate to Azure Portal > App Registrations
- Click “New registration”
- Enter name:
Atolio Outlook
- Select “Accounts in this organizational directory only”
- Click “Register”
Step 2: Add API Permissions
⚠️ Important: Only add Application permissions, not Delegated permissions
- In your App Registration, click “API permissions” in the left menu
- Click “Add a permission”
- Select “Microsoft Graph”
- Click “Application permissions” (not Delegated permissions)
Add these Microsoft Graph permissions:
Identity & Directory Permissions (Required for ACL mapping)
Application.Read.All
Group.Read.All
GroupMember.Read.All
User.Read.All
Directory.Read.All
(optional - can omit withdisable_full_permissions: true
in configuration)
Outlook Content Permissions
Mail.Read
Calendars.Read
MailboxSettings.Read
Domain.Read.All
Step 3: Grant Admin Consent
- After adding all permissions, click “Grant admin consent for [your tenant name]” at the top of the API permissions page
- Confirm by clicking “Yes”
- Verify all permissions show “Granted for [your tenant name]” with green checkmarks
Step 4: Upload Certificate
- Click “Certificates & secrets” in the left menu
- Click “Upload certificate”
- Select your
.cer
file (not the.pfx
file) - Add description:
Atolio Outlook Authentication
- Click “Add”
Step 5: Collect Configuration Values
From the “Overview” page, copy:
- Application (client) ID
- Directory (tenant) ID
You’ll provide these along with your base64-encoded .pfx
certificate to your Atolio support contact.
Resource Filtering
Limit indexing scope using resource filters. Outlook supports multiple filter types:
User Filtering
Index mailboxes for specific user accounts:
resources:
user:
included:
- arthur.dent@example.com
- ford.prefect@example.com
excluded:
- galactic-president@example.com
LDAP Group Filtering
Index mailboxes for members of Entra ID security/distribution groups:
resources:
ldap:
included:
- f47ed439-7c7d-430d-aff3-0acecdec2cae # Engineering Security Group (ObjectId)
LDAP Group Filter Notes:
- Accepts Entra ID group ObjectIds (GUIDs) or distinguished names
- Filters based on transitive group membership
- Only indexes mailboxes of group members
- Only a single LDAP group filter is supported at a time
- Use Azure AD PowerShell or Graph Explorer to find group ObjectIds
Manually Specify Email Address Domains
If email address domains of your organization are already listed in MS Graph API /domains
query, you can skip this step.
For Atolio to identify contributors of Outlook resources correctly, a list of email address domains must be known. If users in your organization have email addresses like user1@example.com
and user2@contoso.com
, this list should consist of example.com
, and contoso.com
.
You can manually specify an email address domain list as part of your configuration in the following format:
known-domains:
- example.com
- contoso.com
Sample Configuration
Here’s a complete YAML configuration example for Outlook:
connector: microsoft
source: outlook
common:
enabled: true
identity-provider: false
cron-spec: "20 */1 * * *"
secrets:
client_cert:
value: "<BASE64_ENCODED_PFX_CONTENT>"
client_cert_password:
value: "<CERTIFICATE_PASSWORD>" # Optional if no password set
configuration:
client-id: "<APPLICATION_CLIENT_ID>"
tenant-id: "<DIRECTORY_TENANT_ID>"
disable_full_permissions: false
disable-attachments: true # Set to false to index email attachments
backfill-start-time: "2025-01-01T00:00:00Z" # Index emails from this date
known-domains:
- contoso.com
- example.com
resources:
user:
included:
- arthur.dent@example.com
- ford.prefect@example.com
ldap:
included:
- f47ed439-7c7d-430d-aff3-0acecdec2cae # Atolio Users Group
Troubleshooting
Error | Cause | Solution |
---|---|---|
401 Unauthorized | Missing admin consent | Click “Grant admin consent” in API permissions |
403 Forbidden | Wrong permission type | Ensure you added Application permissions, not Delegated |
invalid_client | Certificate not found/expired | Verify certificate is uploaded and valid |
Mailboxes not appearing | Missing mail permissions | Verify Mail.Read and Calendars.Read permissions |
LDAP filtering not working | Invalid group ObjectId | Use Azure AD PowerShell to verify group ID |
Contributor identification issues | Missing known-domains | Add all organization email domains to configuration |