==== Register an application in Microsoft Entra ID ====
=== 1. Register a new application ===
Navigate to **App registrations**, then select **+ New registration**.
{{:wiki:register_app.png?600|}}

Name your application and select the option for **Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)**.
{{:wiki:select_tenant.png?600|}}

Create a **Web** URI like so, then click **Register**.
{{:wiki:web_uri.png?600|}}

=== 2. Additional redirect URIs ===
In the application overview navigate to your redirect URIs:
{{:wiki:add_uri.png?600|}}

Select **+ Add a platform** again and add a new **Single-page application**, then create the following two redirect URIs:

%%1. https://<your_domain>.<tld>/login/login.html%%

%%2. https://<your_domain>.<tld>/new-o365/dist/index.html%%

=== 3. Create a client secret ===
Navigate to **Certificates & secrets** and select **+ New client secret**.
{{:wiki:new_secret.png?600|}}

Give the secret a name and an expiration, save, then copy the **value** for the next step.
Don’t forget! The secret value is only visible **once**, when you leave this page it will become hidden forever and you will not be able to copy it again.

==== Connect your application to Lucy ====
=== 1. Add your Microsoft Entra ID (Azure) application ===
== Settings > Common System Settings > Azure Applications ==
Select **+ New Application** and fill out the details. Use the client ID, client secret, and tenant ID from the application you created.

Click **Save**, and then you will be prompted to authenticate with Entra ID using your Microsoft account.
{{:wiki:connect_app.png?600|}}

In order to complete the setup you must be an administrator in the AD, and you must grant the requested permissions when connecting the application to Lucy:
{{ wiki:permissions.png?300 }}

== API permissions explained ==
^ Setting ^ Explanation ^
| User.Read | Allows the app to sign in and read the profile of the signed-in user. |
| Directory.Read.All | Allows the app to read data in the user's directory. |
| email | Allows the app to access the user's primary email address. |
| offline_access | Allows the app to request refresh tokens. |
| openid | Sign users in. |
| profile | Allows the app to access the user's basic profile information. |
| User.Read.All | Allows the app to read the full profile of all users. |

=== 2. Configure the add-in settings ===
== Settings > Submitted Email Settings > Plugin Settings ==
Select **+ Add Settings** and choose a client and name, then click **Save**. Then you can configure the **Settings** and **Language Settings**.

See [[phishing_incidents|this page]] for details on the different settings.

:!: When configuring the plugin settings for Office 365, be sure to select your application before saving!

**Default settings**
If you updated your workstation from version 4.12.1 to 4.13, the existing plugin settings are now stored under "Default Settings". You can create multiple configurations for the plugin on a per-client basis.

=== 3. Download the XML file ===
== Phishing Incident Reports ==
Navigate to the incidents dashboard and select **Download Plugin**. Select the option for **Microsoft Outlook 365**.

{{:wiki:download_plugin.png?600|}}

Classic Microsoft Outlook 365
This option uses the older Rest API version of the add-in. Don’t use this unless you know why you’re doing it.

==== Install the add-in ====
=== For your organization ===
https://wiki.thrivedx.com/doku.php?id=o365_plugin#centralized_o365_plugin_installation_for_multiple_users
===  For an individual user ===
https://wiki.thrivedx.com/doku.php?id=o365_plugin#individual_installation