Skip to main content
Delegation Credential lets organization admins connect Microsoft 365 (Outlook) calendars for every member at once, without each person needing to authorize individually. It uses a Microsoft Entra ID (formerly Azure AD) application with admin-granted permissions to read availability and create events on behalf of your organization’s users.
Only organization owners and admins can create and enable a Delegation Credential. The admin’s email must belong to the Microsoft 365 domain being configured.

What you need

Before starting, make sure you have:
  • Organization admin access in Cal.com
  • Microsoft Entra admin access to register an application and grant admin consent
  • A Microsoft 365 tenant with the domain you want to configure

Step 1: Register an application in Microsoft Entra ID

1

Open the Microsoft Entra admin center

Go to entra.microsoft.com and sign in with your Microsoft 365 admin account.
2

Create a new app registration

Go to Identity → Applications → App registrations and click New registration. Give your application a name (for example, Cal.com Delegation Credential).
3

Choose supported account types

Select Accounts in this organizational directory only (single tenant). You don’t need to add a redirect URI for this flow.
4

Register

Click Register. You’ll land on the application’s overview page, which shows the Application (client) ID and Directory (tenant) ID. Keep this page open — you’ll need both values shortly.

Step 2: Add API permissions

The application needs three Microsoft Graph application permissions so Cal.com can read and write calendars, resolve users by email, and rotate its own client secret.
PermissionWhy Cal.com needs it
Calendars.ReadWriteRead availability and create or update calendar events for members in the tenant.
User.Read.AllResolve the Microsoft 365 user for a Cal.com member by their email address.
Application.ReadWrite.OwnedByAutomatically rotate the client secret on the app registration Cal.com owns, before it expires.
1

Open API permissions

From your application page, go to API permissions and click Add a permission.
2

Select Microsoft Graph

Choose Microsoft Graph, then Application permissions (not delegated).
3

Add the required permissions

Search for and add each of the following, one at a time:
  • Calendars.ReadWrite
  • User.Read.All
  • Application.ReadWrite.OwnedBy
4

Grant admin consent

Back on the API permissions page, click Grant admin consent for <your tenant> and confirm. The status column should show a green check mark next to all three permissions.
Without admin consent, Cal.com cannot use the application to access calendars. Make sure all three permissions show Granted before continuing.

Step 3: Create a client secret

1

Open Certificates & secrets

From your application page, go to Certificates & secrets and click New client secret.
2

Set a description and expiry

Add a description (for example, Cal.com DWD) and choose an expiration period that suits your security policy.
3

Copy the secret Value

Click Add, then immediately copy the Value column — not the Secret ID. You won’t be able to view this value again after you leave the page.

Step 4: Create the Delegation Credential in Cal.com

1

Open Delegation Credential settings

In Cal.com, go to Settings → Organization → Delegation Credential.
2

Add a new credential

Click Add delegation credential.
3

Fill in the form

  • Domain: Enter your Microsoft 365 domain (for example, acme.com if your emails are @acme.com)
  • Workspace Platform: Select Microsoft 365
  • Client ID: Paste the Application (client) ID from Step 1
  • Tenant ID: Paste the Directory (tenant) ID from Step 1
  • Client Secret: Paste the secret Value you copied in Step 3
4

Create the credential

Click Create. The credential will be created but not yet enabled.

Step 5: Enable the Delegation Credential

1

Toggle to enabled

On the Delegation Credential list, toggle the new credential to Enabled. Cal.com verifies that the application can authenticate against your tenant and access calendars before the credential becomes active.
The admin enabling the credential must have an email address that belongs to the configured Microsoft 365 domain, and that email must be verified in Cal.com.

What happens after enabling

Once the Delegation Credential is enabled:
  • Microsoft 365 Calendar is auto-connected for all organization members whose email matches the configured domain — they do not need to connect it manually
  • New members added to the organization automatically get their calendar connected
  • Members cannot disconnect the delegation-managed calendar credential (they can still connect additional calendars manually)

Disabling the Delegation Credential

Disabling a Delegation Credential:
  • Immediately stops auto-connecting calendars for members who haven’t manually connected Microsoft 365
  • Preserves existing calendar preferences (selected calendars and destination calendar) for members who had them configured
  • Background jobs clean up delegation-specific credential records over time
If you no longer need the underlying app registration, you can also remove the client secret or delete the application in the Microsoft Entra admin center.

Frequently asked questions

No. Microsoft 365 Calendar is automatically connected for all members whose email matches the domain. Members can optionally complete onboarding to select which calendars to check for conflicts.
The Delegation Credential takes priority for the matching domain. The member’s manual connection is preserved but the delegation-managed credential is used for calendar operations.
The application is granted three Microsoft Graph application permissions:
  • Calendars.ReadWrite — read availability and create or update calendar events for members in the configured tenant.
  • User.Read.All — resolve the Microsoft 365 user for a Cal.com member by their email address.
  • Application.ReadWrite.OwnedBy — rotate the client secret on the app registration Cal.com owns before it expires.
Cal.com cannot read mail, files, or any other Microsoft 365 data, and Application.ReadWrite.OwnedBy is scoped to applications the credential owns — it cannot modify other apps in your tenant.
With Application.ReadWrite.OwnedBy granted, Cal.com automatically rotates the client secret before it expires — you do not need to create a new secret manually. If the permission is not granted (or admin consent is revoked), the credential stops working once the secret expires. Create a new client secret in the Microsoft Entra admin center and update the credential in Cal.com from the Delegation Credential settings.