ℹ️ Laurel collects activities from Microsoft's productivity suite in the cloud including Outlook meetings, Outlook offline emails, and Teams meetings
As a Microsoft administrator, please collect the following information and provide it to the Laurel team for setup:
Application (Client) ID
Directory (Tenant) ID
Application Secret Value
We will confirm with testing prior to making the application available generally to your users. The steps below help you setup our application and get these values.
Create App Registration
Navigate to Microsoft Azure Admin Portal and login
Click App registrations under Azure services
Click New registration
Register the application
Laurel Graph/ExchangeClick Register
Navigate to Certificates & secrets located in the left navigation bar
Click New client secret to create a secret with the following configuration:
Description: laurel-secret-1
Expires: 24 months
⚠️ We recommend a long-lived authentication so you do not need to remember to update these values with Laurel; if they expire your timekeepers will lose time that is not recoverable even if the connection is restored.
Please remember to keep note of the expiration in your calendar.
Click Add
Copy the value of the secret
❗ The secret value will not be accessible once created so please be prepared to secure the value in a safe location.
Click Overview tab located in the left navigation bar
Store Application (client) ID in a secure location
Store Directory (tenant) ID in a secure location
Set app permissions
This first example is how an admin enables EWS access for Office 365 Exchange Online. Graph allows for more restrictive permissions as well as access to call/meeting records in Microsoft Teams. Different integrations require their own set of permissions. For the full list please refer to this document.
Click API permissions tab in the left navigation bar
Click Add a permission
Click APIs my organization uses tab
Search for Office
Select Office 365 Exchange Online
Click Application permissions and select the following permission:
full_access_as_app
ℹ️ Laurel attempts to minimize permissions use, but is required to fulfill our promise of time technology and automation. Please see use of these permissions here.
Click Add permissions
Check the Status column to see if the permission has been successfully granted
If you are not the administrator of the Azure account, you will have to get the administrator to grant the permission. The following screenshot shows when a permission has not yet been granted.
If you are an administrator, click the Grant admin consent for Laurel Graph/Exchange
ℹ️ If you named the application something different, that name will appear.
Confirm by clicking Yes
Ensure permissions are shown with a green check mark
✅ You will see a green checkbox next to a set of permissions. There may be others which is okay, the most important are highlighted below.
Send Laurel required information to access the application
Through Intercom or email, please contact your Laurel integration team and send the following information:
Application (Client) ID
Directory (Tenant) ID
Application Secret Value
Setting up Application Access Policy
Microsoft Exchange (specifically to control which apps can access email and calendar data via Microsoft Graph), you’ll do this using PowerShell with the Exchange PowerShell module.
🔒 1. Create the Security Group
Browse to https://admin.microsoft.com/Adminportal/ and select the Active teams & groups tab.
Select the Security Groups tab on this page and add an "Email-enabled security group" called "LaurelExchangeAccess"
🔧 2. Connect to Microsoft Exchange PowerShell
Open PowerShell as Administrator and run:
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
Sign in with a Entra admin account.
🧩 3. Create the Application Access Policy
This policy will restrict which apps (by Azure AD App ID) can access Teams meeting data.
Example:
New-ApplicationAccessPolicy -Description “Block Laurel app permissions” -AppId <Laurel Application AppID GUID> -AccessRight RestrictAccess -PolicyScopeGroupId <Group name via mail i.e LaurelExchangeAccess@pinguser.onmicrosoft.com>
Parameters:
-Identity→ The name of the policy.-AppId→ Azure AD App IDs for the app you want to grant access to.PolicyScopeGroupId→ Security GroupAccessRight→ Type of access, should be RestrictAccess-Description→ Optional note.
👤 3. Assign the Policy to Users
At this point the Laurel Enterprise application will only have access to users in the security group. Adding or removing users from this group will allow or restrict access by the application to the included users data.
🧠 Notes & Tips
Once an Application Access Policy is assigned, only the listed apps can access email and calendar data for those users.