> ## Documentation Index
> Fetch the complete documentation index at: https://calcomhelp-mintlify-0e24fcb1.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Delegation Credential — Microsoft 365

> Connect Microsoft 365 calendars for all organization members using a single Microsoft Entra ID application.

Delegation Credential lets organization admins connect Microsoft 365 (Outlook) calendars for every member at once, without each person needing to authorize individually. It uses a Microsoft Entra ID (formerly Azure AD) application with admin-granted permissions to read availability and create events on behalf of your organization's users.

<Note>
  Only organization owners and admins can create and enable a Delegation Credential. The admin's email must belong to the Microsoft 365 domain being configured.
</Note>

***

## What you need

Before starting, make sure you have:

* **Organization admin access** in Cal.com
* **Microsoft Entra admin access** to register an application and grant admin consent
* **A Microsoft 365 tenant** with the domain you want to configure

***

## Step 1: Register an application in Microsoft Entra ID

<Steps>
  <Step title="Open the Microsoft Entra admin center">
    Go to [entra.microsoft.com](https://entra.microsoft.com) and sign in with your Microsoft 365 admin account.
  </Step>

  <Step title="Create a new app registration">
    Go to **Identity → Applications → App registrations** and click **New registration**. Give your application a name (for example, `Cal.com Delegation Credential`).
  </Step>

  <Step title="Choose supported account types">
    Select **Accounts in this organizational directory only (single tenant)**. You don't need to add a redirect URI for this flow.
  </Step>

  <Step title="Register">
    Click **Register**. You'll land on the application's overview page, which shows the **Application (client) ID** and **Directory (tenant) ID**. Keep this page open — you'll need both values shortly.
  </Step>
</Steps>

***

## Step 2: Add API permissions

The application needs three Microsoft Graph **application permissions** so Cal.com can read and write calendars, resolve users by email, and rotate its own client secret.

| Permission                      | Why Cal.com needs it                                                                            |
| ------------------------------- | ----------------------------------------------------------------------------------------------- |
| `Calendars.ReadWrite`           | Read availability and create or update calendar events for members in the tenant.               |
| `User.Read.All`                 | Resolve the Microsoft 365 user for a Cal.com member by their email address.                     |
| `Application.ReadWrite.OwnedBy` | Automatically rotate the client secret on the app registration Cal.com owns, before it expires. |

<Steps>
  <Step title="Open API permissions">
    From your application page, go to **API permissions** and click **Add a permission**.
  </Step>

  <Step title="Select Microsoft Graph">
    Choose **Microsoft Graph**, then **Application permissions** (not delegated).
  </Step>

  <Step title="Add the required permissions">
    Search for and add each of the following, one at a time:

    * `Calendars.ReadWrite`
    * `User.Read.All`
    * `Application.ReadWrite.OwnedBy`
  </Step>

  <Step title="Grant admin consent">
    Back on the API permissions page, click **Grant admin consent for \<your tenant>** and confirm. The status column should show a green check mark next to all three permissions.
  </Step>
</Steps>

<Warning>
  Without admin consent, Cal.com cannot use the application to access calendars. Make sure all three permissions show **Granted** before continuing.
</Warning>

***

## Step 3: Create a client secret

<Steps>
  <Step title="Open Certificates & secrets">
    From your application page, go to **Certificates & secrets** and click **New client secret**.
  </Step>

  <Step title="Set a description and expiry">
    Add a description (for example, `Cal.com DWD`) and choose an expiration period that suits your security policy.
  </Step>

  <Step title="Copy the secret Value">
    Click **Add**, then immediately copy the **Value** column — not the Secret ID. You won't be able to view this value again after you leave the page.
  </Step>
</Steps>

***

## Step 4: Create the Delegation Credential in Cal.com

<Steps>
  <Step title="Open Delegation Credential settings">
    In Cal.com, go to **Settings → Organization → Delegation Credential**.
  </Step>

  <Step title="Add a new credential">
    Click **Add delegation credential**.
  </Step>

  <Step title="Fill in the form">
    * **Domain**: Enter your Microsoft 365 domain (for example, `acme.com` if your emails are `@acme.com`)
    * **Workspace Platform**: Select **Microsoft 365**
    * **Client ID**: Paste the **Application (client) ID** from Step 1
    * **Tenant ID**: Paste the **Directory (tenant) ID** from Step 1
    * **Client Secret**: Paste the secret **Value** you copied in Step 3
  </Step>

  <Step title="Create the credential">
    Click **Create**. The credential will be created but not yet enabled.
  </Step>
</Steps>

***

## Step 5: Enable the Delegation Credential

<Steps>
  <Step title="Toggle to enabled">
    On the Delegation Credential list, toggle the new credential to **Enabled**. Cal.com verifies that the application can authenticate against your tenant and access calendars before the credential becomes active.
  </Step>
</Steps>

<Warning>
  The admin enabling the credential must have an email address that belongs to the configured Microsoft 365 domain, and that email must be verified in Cal.com.
</Warning>

***

## What happens after enabling

Once the Delegation Credential is enabled:

* **Microsoft 365 Calendar is auto-connected** for all organization members whose email matches the configured domain — they do not need to connect it manually
* **New members** added to the organization automatically get their calendar connected
* Members **cannot disconnect** the delegation-managed calendar credential (they can still connect additional calendars manually)

***

## Disabling the Delegation Credential

Disabling a Delegation Credential:

* Immediately stops auto-connecting calendars for members who haven't manually connected Microsoft 365
* Preserves existing calendar preferences (selected calendars and destination calendar) for members who had them configured
* Background jobs clean up delegation-specific credential records over time

If you no longer need the underlying app registration, you can also remove the client secret or delete the application in the Microsoft Entra admin center.

***

## Frequently asked questions

<AccordionGroup>
  <Accordion title="Do members need to do anything after the credential is enabled?">
    No. Microsoft 365 Calendar is automatically connected for all members whose email matches the domain. Members can optionally complete [onboarding](/enterprise/members-onboarding) to select which calendars to check for conflicts.
  </Accordion>

  <Accordion title="What if a member already connected Microsoft 365 manually?">
    The Delegation Credential takes priority for the matching domain. The member's manual connection is preserved but the delegation-managed credential is used for calendar operations.
  </Accordion>

  <Accordion title="What permissions does the application get?">
    The application is granted three Microsoft Graph application permissions:

    * **Calendars.ReadWrite** — read availability and create or update calendar events for members in the configured tenant.
    * **User.Read.All** — resolve the Microsoft 365 user for a Cal.com member by their email address.
    * **Application.ReadWrite.OwnedBy** — rotate the client secret on the app registration Cal.com owns before it expires.

    Cal.com cannot read mail, files, or any other Microsoft 365 data, and `Application.ReadWrite.OwnedBy` is scoped to applications the credential owns — it cannot modify other apps in your tenant.
  </Accordion>

  <Accordion title="What happens when the client secret expires?">
    With `Application.ReadWrite.OwnedBy` granted, Cal.com automatically rotates the client secret before it expires — you do not need to create a new secret manually. If the permission is not granted (or admin consent is revoked), the credential stops working once the secret expires. Create a new client secret in the Microsoft Entra admin center and update the credential in Cal.com from the Delegation Credential settings.
  </Accordion>
</AccordionGroup>
