# Setting up Office 365 daemon app registration

Setting up an Office 365 / Azure app registration that allows global admin authorizations (or daemon OAuth2 flow) is quite similar to the regular Azure app registration described in the article [Office 365 OAuth setup](/authentication/office-365-oauth-setup.md). Please follow "Creating an app registration" steps from that article if you have not created any app registrations yet or want to create a separate daemon app registration.

The following settings are specific to daemon app registrations (daemon OAuth2 flow).

### **Specifying API permissions**

***

Head to the "API permissions" panel and click "Add a permission". 

<div data-full-width="true"><figure><img src="https://s3.amazonaws.com/helpscout.net/docs/assets/5dd72e4d2c7d3a7e9ae44753/images/5f06475d04286306f80664f8/file-kF4BjKjgqT.jpg" alt=""><figcaption></figcaption></figure></div>

Choose Microsoft Graph set of permissions

<div data-full-width="true"><figure><img src="https://d33v4339jhl8k0.cloudfront.net/docs/assets/5dd72e4d2c7d3a7e9ae44753/images/5e0a6c0a2c7d3a7e9ae59d4e/file-FOAuckn1fN.jpg" alt=""><figcaption></figcaption></figure></div>

You'll need to determine what Graph API permissions you add to your consent screen based on your application's behavior. Please reference this mapping to see how Aurinko scopes will map to Graph API permissions during the [authentication](/authentication/oauth-flow.md) process:

| Aurinko scope        | Graph API permission  |
| -------------------- | --------------------- |
| `Mail.ReadOnly`      | `Mail.Read`           |
| `Mail.ReadWrite`     | `Mail.ReadWrite`      |
| `Mail.Send`          | `Mail.Send`           |
| `Calendar.ReadOnly`  | `Calendars.Read`      |
| `Calendar.ReadWrite` | `Calendars.ReadWrite` |
| `Contacts.ReadOnly`  | `Contacts.Read`       |
| `Contacts.ReadWrite` | `Contacts.ReadWrite`  |

Then add all required **Application** permissions, i.e. <mark style="color:red;">`Calendars.ReadWrite`</mark>, <mark style="color:red;">`Contacts.ReadWrite`</mark>, <mark style="color:red;">`Mail.ReadWrite`</mark>, <mark style="color:red;">`Mail.Send`</mark>.

<div data-full-width="true"><figure><img src="https://s3.amazonaws.com/helpscout.net/docs/assets/5dd72e4d2c7d3a7e9ae44753/images/5f06470f04286306f80664f6/file-6Dac6tkbth.jpg" alt=""><figcaption></figcaption></figure></div>

This is what your application permissions screen should look like

<div data-full-width="true"><figure><img src="https://s3.amazonaws.com/helpscout.net/docs/assets/5dd72e4d2c7d3a7e9ae44753/images/5f0648302c7d3a10cbaa3da6/file-VSAYBJuJSk.jpg" alt=""><figcaption></figcaption></figure></div>

Creating OAuth credentials

Prepare a self-signed certificat, see [this article](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#upload-a-certificate) for sample instructions. The certificate and its private key will need to be uploaded to Aurinko later. Then, head to the "Certificates & secrets" panel and click "Upload certificate".&#x20;

<div data-full-width="true"><figure><img src="https://s3.amazonaws.com/helpscout.net/docs/assets/5dd72e4d2c7d3a7e9ae44753/images/5f06490b2c7d3a10cbaa3db4/file-tJCvYXEots.jpg" alt=""><figcaption></figcaption></figure></div>

\
Configure Aurinko to use your Office 365 OAuth (Daemon) credentials

Head on over to [Aurinko portal](https://app.aurinko.io/) and log in.

Select your app at the top, choose Settings menu and switch to the OFFICE 365 tab. Enter **Client ID**, **Private key**, and **Certificate** into the form and save.&#x20;

<div data-full-width="true"><figure><img src="/files/dRSH8SXUblFMMHC5HzIK" alt=""><figcaption></figcaption></figure></div>

**You are now all set to start connecting Office 365 service accounts to Aurinko!**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.aurinko.io/authentication/service-accounts/setting-up-office-365-daemon-app-registration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.