> ## Documentation Index
> Fetch the complete documentation index at: https://nango.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Microsoft Admin
> Access the Microsoft Admin API in 2 minutes 💨
In Nango ([free signup](https://app.nango.dev)), go to [Integrations](https://app.nango.dev/dev/integrations) -> *Configure New Integration* -> *Microsoft Admin*. Nango doesn't provide a test OAuth app for Microsoft Admin yet. You’ll need to set up your own by following these [instructions](#🧑%E2%80%8D💻-oauth-app-setup). After that, make sure to add the OAuth client ID, secret, and scopes in the integration settings in Nango.
Go to [Connections](https://app.nango.dev/dev/connections) -> *Add Test Connection* -> *Authorize*, then log in to Microsoft Admin. Later, you'll let your users do the same directly from your app.
Let's make your first request to the Microsoft Admin (Microsoft Graph) API (fetch basic information about the root SharePoint site). Replace the placeholders below with your [secret key](https://app.nango.dev/dev/environment-settings), [integration ID](https://app.nango.dev/dev/integrations), and [connection ID](https://app.nango.dev/dev/connections):
```bash theme={null}
curl "https://api.nango.dev/proxy/v1.0/sites/root" \
-H "Authorization: Bearer " \
-H "Provider-Config-Key: " \
-H "Connection-Id: "
```
Install Nango's backend SDK with `npm i @nangohq/node`. Then run:
```typescript theme={null}
import { Nango } from '@nangohq/node';
const nango = new Nango({ secretKey: '' });
const res = await nango.get({
endpoint: '/v1.0/sites/root',
providerConfigKey: '',
connectionId: ''
});
console.log(res.data);
```
Or fetch credentials dynamically via the [Node SDK](/reference/sdks/node#get-a-connection-with-credentials) or [API](/reference/api/connection/get).
✅ You're connected! Check the [Logs](https://app.nango.dev/dev/logs) tab in Nango to inspect requests.
Next step: [Embed the auth flow](/guides/primitives/auth) in your app to let your users connect their Microsoft Admin accounts.
If you don't already have them, sign up for a [Microsoft account](https://account.microsoft.com/account) and an [Azure account](https://azure.microsoft.com/free).
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an Application Developer.
2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application.
3. From the search bar at the top of the Azure portal, search for **App registrations** and select it. Then choose **New registration**. Or from your left navigation tab, navigate to **Applications** > **App registrations** then choose **New registration**.
4. Enter a meaningful name for your application, for example "Nango Integration".
5. Under **Supported account types** you need to decide who can install your integration:
* **Accounts in any organizational directory** - Any user account in a professional Microsoft organization (Business, School, etc.)
* **Accounts in any organizational directory and personal Microsoft accounts** - The accounts from the first option, plus personal Microsoft accounts (pick this unless you want to restrict your integration to business accounts)
6. Leave the **Redirect URI** section blank for now; we'll configure it in a later step.
7. Click **Register** to complete the app registration.
After registration, you'll be taken to the application's Overview page. Record the **Application (client) ID**, which uniquely identifies your application and is used in your application's code as part of validating security tokens.
1. In the left sidebar, select **Authentication**.
2. Under **Platform configurations**, select **Add a platform**.
3. Select **Web** as the platform type.
4. Enter `https://api.nango.dev/oauth/callback` as the Redirect URI.
5. Under **Advanced settings**, keep **Allow public client flows** set to the default **No** for web applications.
6. Click **Configure** to save your changes.
1. In the left sidebar, select **API permissions**.
2. Click **Add a permission**.
3. Select **Microsoft Graph** to integrate with **Microsoft Admin**.
4. Select the required permissions from the **Application permissions section**.
5. Select the specific permissions your app requires. Please refer to the table below for some of the [commonly used scopes](#common-scopes).
6. Click **Add permissions**.
7. If your application requires admin consent, click **Grant admin consent for \[tenant]** to pre-authorize the permissions.
1. In the left sidebar, select **Certificates & secrets**.
2. Under **Client secrets**, click **New client secret**.
3. Enter a description for the secret and select an expiration period (6 months, 12 months, 24 months, or custom). Please select a date further in the future to avoid interruptions, note that the **Custom** date can only be set to a maximum of 1 year from the current date. If the secret expires, you will need to regenerate a new one and update your integration within Nango.
4. Click **Add**.
5. **Important**: Copy the secret value immediately and store it securely. You won't be able to see it again after you leave this page.
1. In the left sidebar, select **Token configuration**. Here you can configure optional claims to be included in the access tokens issued for your application.
2. Click **Add optional claim** and select the claims you want to include in your access tokens.
If you want users to see your app on their My Apps page:
1. From the search bar at the top of the Azure portal, search for **Enterprise applications**, select it, and then choose your app.
2. On the **Properties** page, set **Visible to users?** to **Yes**.
Follow the [*Quickstart*](/getting-started/quickstart).
## Common Scopes
| Scope | Description |
| --------------------- | ------------------------------------------------------- |
| `Sites.Read.All` | Read items in all site collections |
| `Sites.ReadWrite.All` | Read and write items in all site collections |
| `Files.Read.All` | Read all files in all site collections and drives |
| `Files.ReadWrite.All` | Read and write all files in all site collections/drives |
| `User.Read.All` | Read all user profiles in the organization |
| `Directory.Read.All` | Read directory data across the organization |
## Useful links
| Topic | Links |
| --------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| General | [Microsoft Entra Admin Center](https://entra.microsoft.com) |
| | [Azure Portal](https://portal.azure.com) |
| | [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) |
| Developer | [Microsoft identity platform documentation](https://learn.microsoft.com/en-us/entra/identity-platform/) |
| | [Microsoft Graph API Overview](https://learn.microsoft.com/en-us/graph/overview) |
| | [How to register an Application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) |
| | [Overview of user and admin consent](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview) |
| | [How to configure an admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow) |
| | [Microsoft Graph Permissions Reference](https://learn.microsoft.com/en-us/graph/permissions-reference) |
| | [Microsoft Authentication Libraries (MSAL)](https://learn.microsoft.com/en-us/entra/identity-platform/msal-overview) |
| | [Microsoft Graph API Reference](https://learn.microsoft.com/en-us/graph/api/overview) |
| | [Microsoft Graph Throttling Guidance](https://learn.microsoft.com/en-us/graph/throttling) |
| | [Redirect URI Best Practices](https://learn.microsoft.com/en-us/entra/identity-platform/reply-url) |
Contribute useful links by [editing this page](https://github.com/nangohq/nango/tree/master/docs/integrations/all/microsoft-admin.mdx)
* Only organization administrators can authorize this integration, as admin consent is required to grant permissions for the entire organization.
* You can find the permissions required for each API call in its corresponding API method section. For example, to retrieve a user from Teams, refer to the Application permission type in the [Get a user permissions](https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0\&tabs=http#permissions) documentation.
* Microsoft offers a tool that allows you to construct and perform Graph API queries and see their response for any apps on which you have an admin, developer, or tester role. For more information you can check [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer).
* Please be aware that the Microsoft Graph API implements throttling to manage the volume of requests. For more information on handling throttling, refer to the [Microsoft Graph Throttling Guidance](https://learn.microsoft.com/en-us/graph/throttling).
* Microsoft Graph API has different versions (v1.0 and beta). The v1.0 endpoint is for production use, while the beta endpoint contains features that are still in preview.
* You can set the [`.default` scope documentation](https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#default-when-the-user-gives-consent) to ensure the permissions remain the same as those granted at the organization level.
* The `.default` scope can't be combined with the scopes registered in the Azure portal. So either just use the `.default` scope or remove it to list out explicit parameters that are required. If you attempt to combine them you'll receive the following error
```
.default scope can't be combined with resource-specific scopes
```
Contribute API gotchas by [editing this page](https://github.com/nangohq/nango/tree/master/docs/integrations/all/microsoft-admin.mdx)
Questions? Join us in the [Slack community](https://nango.dev/slack).