Laurel uses the Microsoft Graph API to capture email and calendar activity from Microsoft Exchange. This guide walks IT administrators through registering an application in Microsoft Entra and granting the required permissions.
Overview
You will complete 4 steps in Entra via your Azure Portal (https://entra.microsoft.com):
Create an App Registration
Generate a client secret
Grant required API permissions
Share credentials securely with your Laurel Implementation team, or enter them directly within Laurel's Admin settings
Step 1: Create an App Registration
Sign in to https://entra.microsoft.com.
In the left-hand Entra ID menu, click App registrations.
In the top menu, click + New registration.
Name the application
Laurel - Exchangeand click Register.
Step 2: Generate a Client Secret
In your new app registration, go to Certificates & secrets
Click +New client secret and set the following values:
Description:
laurel-secret-1Expires:
24 months
Click Add.
Immediately copy and securely store the secret value — it will not be visible again after you leave this page.
⚠️ Important: Note the expiration date and add a reminder to your calendar. If the secret expires before it is renewed, your users will lose time data that cannot be recovered even after the connection is restored.
Step 3: Grant Required API Permissions
In your app registration, go to API permissions > Add a permission > Microsoft Graph > Application permissions.
Search for and select each of the following permissions:
Permission | Type | Purpose |
| Application | Capture email activity |
| Application | Capture calendar events |
| Application | Identify users in your tenant |
3. Click Add permissions.
4. Click Grant admin consent for [your organization] and confirm. All permissions should show a green Granted status.
Note: If you are not an Entra admin, you will need to request that an admin grants consent.
Step 4: Share Credentials with Laurel
Once configuration is complete, either:
Share securely with your Laurel Implementation team, or
Enter directly in Laurel's Customer Integration settings after you've been assigned Super Customer Admin permissions.
You will need to provide the following credentials to activate the integration (found under the Overview tab of your app registration):
Application (client) ID
Directory (tenant) ID
Client secret value
Client secret expiration date
Setting up Application Access Policy
Microsoft Exchange (specifically to control which apps can access email and calendar data via Microsoft Graph), you’ll do this using PowerShell with the Exchange PowerShell module.
🔒 1. Create the Security Group
Browse to https://admin.microsoft.com/Adminportal/ and select the Active teams & groups tab.
Select the Security Groups tab on this page and add an "Email-enabled security group" called "LaurelExchangeAccess"
🔧 2. Connect to Microsoft Exchange PowerShell
Open PowerShell as Administrator and run:
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
Sign in with a Entra admin account.
🧩 3. Create the Application Access Policy
This policy will restrict which apps (by Azure AD App ID) can access Teams meeting data.
Example:
New-ApplicationAccessPolicy -Description “Block Laurel app permissions” -AppId <Laurel Application AppID GUID> -AccessRight RestrictAccess -PolicyScopeGroupId <Group name via mail i.e LaurelExchangeAccess@pinguser.onmicrosoft.com>
Parameters:
-Identity→ The name of the policy.-AppId→ Azure AD App IDs for the app you want to grant access to.PolicyScopeGroupId→ Security GroupAccessRight→ Type of access, should be RestrictAccess-Description→ Optional note.
👤 3. Assign the Policy to Users
At this point the Laurel Enterprise application will only have access to users in the security group. Adding or removing users from this group will allow or restrict access by the application to the included users data.
🧠 Notes & Tips
Once an Application Access Policy is assigned, only the listed apps can access email and calendar data for those users.