1. Overview
  2. Nextcloud Exchange Connector
  3. (Images required) Configuring Microsoft 365 (Cloud)

(Images required) Configuring Microsoft 365 (Cloud)

This guide explains how to configure the Exchange Online (Microsoft 365) authentication to support the Nextcloud Exchange Connector workflow.

Note:

Unlike On-Premise environments that use Service Accounts with Kerberos or Basic Authentication, Microsoft 365 requires modern OAuth 2.0 app-only authentication. To achieve this, you must register the connector as an application in Microsoft Entra ID (formerly Azure AD).

Pre-requirements

Before you begin the app registration process, ensure you have the following:

  1. Administrative Access: You must have Global Administrator or Application Administrator privileges in your Microsoft Entra ID tenant to grant organizational consent for the required API permissions.

  2. Active Microsoft 365 Tenant: An active Microsoft 365 subscription with Exchange Online mailboxes provisioned.

Step 1. Register the Application in Microsoft Entra

Why this is needed: Registering the application generates a unique Application (client) ID and Directory (tenant) ID. These identifiers act as the username and domain for your connector to securely communicate with the Microsoft 365 cloud.

  1. Open a browser and log in to the Microsoft Entra admin center.

  2. Navigate to Identity > Applications > App registrations, and select New registration.

  3. Set the Name to a friendly identifier (e.g., Nextcloud Exchange Connector).

Under Redirect URL, select Public client/native (mobile & desktop) from the dropdown and set the value to:

https://login.microsoftonline.com/common/oauth2/nativeclient

  1. Click Register.

  2. On the application overview page, copy and securely save the Application (client) ID and Directory (tenant) ID.

Step 2. Configure Permissions for App-only Access

Why this is needed: The connector operates as a background daemon (server-to-server) without a signed-in user present. It requires "Application permissions" with the full_access_as_app role to impersonate users and sync their calendars and contacts.

  1. In your app registration menu, navigate to Manage > API permissions.

  2. Click Add a permission > APIs my organization uses and search for Office 365 Exchange Online.

  3. Select Application permissions.

  4. Check the box full_access_as_app and click Add permissions.

Warning: Grant Admin Consent

Adding the permission is not enough. You must click the Grant admin consent for [Your Organization] button on the API permissions page and accept the prompt.

If the status does not show a green checkmark, Microsoft 365 will deny all synchronization requests from the connector.

Step 3. Create a Client Secret

Why this is needed: The Client Secret acts as the password for your newly registered application, proving its identity to Microsoft Entra ID when requesting an access token.

  1. Navigate to Manage > Certificates & secrets.

  2. Under the Client secrets tab, click New client secret.

  3. Add a description and choose an expiration period, then click Add.

  4. Immediately copy the Value of the client secret. You will not be able to view it again once you leave the page.

Step 4. Save Credentials for Installation

You have successfully generated the required Microsoft 365 access keys. Keep these values secure. Later, when you reach the Installation Guide, you will use these keys to build your configuration files.

Configuration mapping cheat sheet

1. The .env Configuration File

When configuring your .env file, ensure your Exchange Type is set to Cloud (1), and map your saved Tenant ID accordingly:

Service__ExchangeConfiguration__ExchangeType=1
Service__ExchangeConfiguration__ExchangeTenantId="your-directory-tenant-id-here"

2. The admins.json Credentials File

When building your admins.json file inside the exchangeAdmins directory, map your App ID and Client Secret:

[
  {
    "ExchangeType": 1,
    "AppId": "your-application-client-id-here",
    "ClientSecret": "your-client-secret-value-here"
  }
]

Graph API Migration Note

Please note that Microsoft has announced the deprecation of Exchange Web Services (EWS) for Exchange Online, effective October 2026.

While the current setup relies on EWS, Sendent is actively preparing a new release that will migrate communication to the Microsoft Graph API. Once the new Graph API version is available, the core parameters (Tenant ID, App ID, and Client Secret) will remain the same, but you may be required to update the API Permissions in your Microsoft Entra App Registration. Sendent will provide a dedicated migration guide well in advance of the deprecation date.

Next Step

Configuring Nextcloud

Related Articles

Last updated April 1, 2026
Was this article helpful?