==== Register an application in Microsoft Entra ID ====
=== 1. Register a new application ===
Navigate to **App registrations**, then select **+ New registration**.
{{:wiki:register_app.png?600|}}

Name your application and select the option for **Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**.'

Create a **Web** URI like so, then click **Register**.
{{:wiki:web_uri.png?600|}}

=== 2. Additional redirect URIs ===
In the application overview navigate to your redirect URIs:
{{:wiki:add_uri.png?600|}}

Select **+ Add a platform** again and add a new **Mobile and Desktop Application**, then enable these redirect URIs:
{{:wiki:desktop_uri.png?600|}}

== Advanced settings ==
Enable **Access tokens** and **ID tokens**:
{{:wiki:tokens.png?600|}}

Enable **Live SDK Support** and **Allow public client flows**, then click **Save**.
{{:wiki:adv_settings.png?600|}}

=== 3. Create a client secret ===
Navigate to **Certificates & secrets** and select **+ New client secret**.
{{:wiki:new_secret.png?600|}}

Give the secret a name and an expiration, save, then copy the **value** for the next step.
Don’t forget! The secret value is only visible **once**, when you leave this page it will become hidden forever and you will not be able to copy it again.

==== Connect your application to Lucy ====
=== 1. Add your Microsoft Entra ID (Azure) application ===
== Settings > Common System Settings > Azure Applications ==
Select **+ New Application** and fill out the details. Use the client ID, client secret, and tenant ID from the application you created.
{{:wiki:connect_app.png?600|}}

After saving the application you will be prompted to grant permissions for the plugin.
Select the checkbox for **Consent on behalf on your organization** and click **Accept** to continue.
{{:wiki:api_permissions.png?600|}}

== API permissions explained ==
^ Setting ^ Explanation ^
| User.Read | Allows the app to sign in and read the profile of the signed-in user. |
| Directory.Read.All | Allows the app to read data in the user's directory. |
| email | Allows the app to access the user's primary email address. |
| offline_access | Allows the app to request refresh tokens. |
| openid | Sign users in. |
| profile | Allows the app to access the user's basic profile information. |
| User.Read.All | Allows the app to read the full profile of all users. |

=== 2. Configure the add-in settings ===
== Settings > Submitted Email Settings > Plugin Settings ==
Select **+ Add Settings** and choose a client and name, then click **Save**. Then you can configure the **Settings** and **Language Settings**.
{{:wiki:msi_setting.png?600|}}

You must link the application you created in the settings as well:
{{:wiki:msi_app.png?600|}}

See [[phishing_incidents|this page]] for details on the different settings.

Default settings
If you updated your workstation from version 4.12.1 to 4.13, the existing plugin settings are now stored under **Default Settings**.
You can now create multiple configurations for the plugin on a per-client basis.

==== Install the add-in ===
Navigate to the incidents dashboard and select Download Plugin. You can install the MSI plugin either user- or machine-wide.

Double-click the MSI installer and follow the wizard to complete installation.
{{:wiki:msi_installer.png?600|}}

When reporting your first email you will be prompted to authenticate. Select “Yes” to continue.
{{wiki:msi_auth.png?600|}}