Step 1: Register the application
Visit the <a href="https://entra.microsoft.com/#view/MicrosoftAADRegisteredApps/ApplicationsListBlade" target="_blank" rel="noreferrer">Microsoft Entra admin center</a>, create a new app registration, and add the provider callback URI provided by the Riposte admin portal (for embedded mode it's typically http://localhost:4000/riposte/providers/microsoft/callback). Capture the client ID and client secret once you generate it.
Step 2: Assign Graph permissions
Open the <a href="/tools/oauth-scope-planner" target="_blank" rel="noreferrer">OAuth scope planner</a>, switch to the Microsoft tab, and enable the workloads (mail, calendar, contacts, Teams) that match your product. Copy the delegated scopes it lists and add the matching API permissions in Entra—grant admin consent so test accounts can authorize immediately.
Step 3: Configure Riposte
In the Riposte admin portal, select Microsoft as the provider, paste the client ID, client secret, and scopes, then save. Run the built-in connection test to confirm the Entra application can complete delegated OAuth for your tenant.