Microsoft 365 Actions Setup

You can configure Glean Assistant and Agents to export any generated response to a Word Document, Excel Spreadsheet, or as an email draft in Outlook.

Prerequisites

• You are a Glean admin with access to the Admin Console and the Actions page in Glean.
• Your organization has an existing Microsoft 365 (O365) data source configured in Glean. During setup, you will select this data source as the instance where Word documents and Excel spreadsheets are created in OneDrive.
• Your Microsoft 365 tenant allows registration and configuration of applications in Microsoft Entra ID (Azure AD), and you or a collaborating Microsoft 365 admin can:
  • Register a new app.
  • Create and manage client secrets.
  • Configure delegated API permissions.
  • Configure redirect URIs and tenant-wide consent for enterprise applications.
• If you plan to use the Central OAuth option, your tenant can authorize the default Glean OAuth app when users or admins are prompted to connect the action.
• If you plan to use a Custom OAuth app:
  • You know or can obtain your Tenant ID.
  • You can configure the tenant specific authorization and token URLs.
  • You can grant admin consent for the app in Enterprise applications after saving the configuration in Glean.

Setup instructions

Follow these steps to setup the Microsoft 365, Microsoft teams, Excel and Outlook extension actions pack:

1. In Glean, go to the Admin console → Platform → Actions.

2. Click Add.

3. From the list in the Add pre‑set actions section, select Microsoft 365 Actions under Action templates.

4. In the Configuration tab:

   1. Add the Instance Name.
   2. Select Datasource Instance to link this action to your Microsoft 365 instance.
   3. Configure authentication. Microsoft 365 actions use user OAuth so that actions run as the signed‑in user and respect their permissions. You can either use a central Glean‑managed app (recommended where available) or configure a custom OAuth app in Microsoft entra admin center.

   Use the central option if:

   • Your organization is Glean‑hosted, and
   • Central apps are available for Microsoft 365 in your environment.

   Steps:

   1. Select Central under Authenticate sectionin on the Microsoft 365 Actions setup page.
   2. Click Save.

   End users are prompted to connect their Microsoft 365 account the first time they run an action, and tokens are managed centrally thereafter.

   Use the custom option if:

   • The central Microsoft 365 OAuth option is not available in your environment, or
   • Your security model requires a customer-owned Microsoft 365 OAuth app.

   Steps:

   In order to setup OAuth for Microsoft 365, Microsoft teams, Excel and Outlook extension actions pack, follow these steps:

   Step 1: Create a new OAuth app

   1. Navigate to the Microsoft Entra admin center.
   2. Go to App registrations under Entra ID and click New registration.
   3. Add Name.
   4. Select Single tenant supported account type.

   If you are configuring custom OAuth for Microsoft Outlook, Microsoft Teams, or Microsoft Excel actions, register the app by selecting Multiple Entra ID tenants as the supported account type and only your tenant. Single-tenant apps are not supported for these Microsoft extension actions.

   After you register the app:

   1. Restrict access so that only users in your Microsoft Entra tenant can authorize and use the app. For more information, see Restrict access to specific tenants.
   2. Use your tenant-specific authorization and token URLs in Glean.
   3. Grant admin consent for the app in your tenant before asking users to connect. For more information, see One-time admin connection for Teams, Excel, and Outlook extension actions.

   5. Leave Redirect URI field blank.
   6. Click Register to register the app.
   7. Copy the Application (client) ID.

   

   8. Copy the Directory (tenant) ID.
   9. Go to Certificates & secrets, create a new client secret, and copy the client secret value. The client secret value is shown only when you create the secret. Save it immediately, because you cannot view it again later.

   

   Step 2: Set permissions

   1. Navigate to API permissions under Manage, select the API.
   2. Select Delegated permissions.
   3. Add scopes in the Select permissions field. These scopes are available in the Microsoft 365 actions configuration page on the Glean admin console.
   4. CLick Add permissions.

   

   Step 3: Fill the client ID and client secret

   1. Navigate to Microsoft 365 actions or to the Microsoft Excel extension actions configuration page (based on what you are configuring for) on the Glean admin console.
   2. Select custom under the Authenticate section.
   3. Add the Client ID and Client secret information. For Client secret, paste the client secret value copied earlier, not the client secret ID. 4.Paste the following values for Authorization and Token URL fields. Ensure to replace <tenant_id> with the Tenant ID that was copied earlier:

   • Authorization url: https://login.microsoftonline.com/\<tenant_id\>/oauth2/v2.0/authorize
   • Token url: https://login.microsoftonline.com/\<tenant_id\>/oauth2/v2.0/token

   5. Click Save.
   6. Copy the Callback URL.

   Step 5: Configure the callback URL in your OAuth App

   1. Go to the Authentication tab of your app configuration on the Microsoft Entra admin center.
   2. Click Add Redirect URI under Redirect URI configuration.
   3. Select Web and paste the callback URL into the Redirect URI field.
   4. Click Configure.

   Step 6 (Optional): Set consent and permissions

   1. Navigate to Enterprise apps under Entra ID in the Microsoft Entra admin console.
   2. Click Consent and permissions under Security.

   • If you want admins to allow consent for organization, click Admin consent settings and choose the first option.

   

   • If you want to add user consent settings, , click User consent settings and choose the third option:
   • For users to be able to consent individually the first time they use, choose the third option.
   • If you want users to be able to consent but only for selected permissions, select the second option and add the above permissions added for the app, otherwise some users might be able to consent for more scopes than configured in the app.

   

   When the user/admin authenticates, you can see them along with the granted permissions on this page.

Scopes for other Microsoft apps

If you want to integrate with other Microsoft services, you can reuse the same Azure app. Add the required scopes in both Azure and Glean:

• OneDrive — Files.ReadWrite, Files.Read.All
• Teams — Channel.Create, Channel.ReadBasic.All, ChannelMessage.Read.All, ChannelMessage.ReadWrite, ChannelMessage.Send, ChannelSettings.ReadWrite.All, Chat.Create, Chat.Read, Chat.ReadBasic, Chat.ReadWrite, Chat.ReadWrite.All, ChatMessage.Read, ChatMessage.Send, Directory.ReadWrite.All, Group.ReadWrite.All, offline_access, People.Read.All, Presence.ReadWrite, Team.Create, Team.ReadBasic.All, TeamMember.ReadWrite.All, TeamsActivity.Read, TeamsActivity.Send, User.Read, OnlineMeetings.ReadWrite
• SharePoint — List.Read
• Excel — Files.ReadWrite, Sites.ReadWrite.All, offline_access, User.Read

After scopes are added, you can configure additional auth configs in Glean for each service.

Verification steps

Microsoft 365 actions

• After you set up Microsoft 365 Actions, open Glean Assistant and export a response to Word, Excel, or an Outlook email draft. Choose Connect and sign in the first time. If Connect is blocked by policy, see Admin approval for using the action.

• In Glean Assistant, try prompts such as "Draft an email summarizing …" or "Create a doc with …" and confirm Glean suggests the Microsoft 365 actions at the end of the response when they apply.

Microsoft 365 extension actions

• After you set up Microsoft Teams, Microsoft Excel, or Microsoft Outlook extension actions, open Agent Builder, add a workflow step that uses Microsoft Teams, Excel, or Outlook, and run the agent. Confirm the step runs successfully after you Connect and authorize when prompted. If your organization requires it, complete the one-time admin connection for Teams, Excel, and Outlook extension actions before asking other users to run those steps.

• In Glean Assistant, try requests that trigger Teams, Excel, or Outlook extension behavior, for example prompts about posting or replying in Teams, working with an Excel workbook, or Outlook tasks beyond a simple export-to-draft flow.

Admin approval for using the action

Applies to Microsoft 365 Actions and to Microsoft Teams, Microsoft Excel, and Microsoft Outlook extension packs. Extension packs may also need One-time admin connection for Teams, Excel, and Outlook extension actions.

The first time someone uses one of these actions, they are prompted to Connect and authorize the application.

Depending on your Microsoft Entra ID tenant policies, end users may be blocked until an administrator grants admin consent for the app. If a user sees a message that they must request approval from an admin when they choose Connect, a Microsoft 365 admin should complete Grant admin consent in Enterprise applications. This is a one-time step for the whole organization.

Grant admin consent in Enterprise applications

1. In the Azure portal, open Enterprise applications.

Central (Glean-managed) OAuth app

• Search for Glean, open the enterprise application, and go to the Permissions tab.
• Select Grant admin consent for Glean Technologies.

Custom OAuth app

• Search for your registered application name, open it, and go to the Permissions tab.
• Select Grant admin consent for your tenant (the exact label matches your directory name).

After admin consent is granted, users can usually connect without a separate admin approval step, unless other tenant policies still restrict consent.

One-time admin connection for Teams, Excel, and Outlook extension actions

If you use Microsoft Teams, Excel, or Outlook extension actions, a Glean admin must complete OAuth once after the action pack is created so permissions are allowed for your environment:

1. Create an autonomous agent.
2. Add a workflow step that uses Microsoft Teams, Excel, or Outlook.
3. Choose Connect and sign in as an admin to authenticate and approve the requested permissions on behalf of users, as prompted.

(Optional) Restrict access to specific tenants

If you are using your own custom OAuth app and want to limit access to only the tenant of your organization or specific tenants, follow the steps below to restrict the access:

1. Go to the Azure portal.
2. Click App registrations.
3. Click + New registration.
4. Fill up the Register an application form.
   1. Add the Name.
   2. For Supported account types, select Multiple Entra ID tenants and Allow only certain tenants (Preview).
      Select Allow all tenants to permit authentication from any Microsoft organization. Only enable this option if your application is intended for public use.
   3. Click Manage allowed tenants.
      1. Click Add and add the tenant ID or domain name of each organisation you want to allow.
      2. Click Apply.
5. (Optional) Add the Redirect URI.
6. Click Register.

You can find the tenant ID details on the Overview page of Microsoft Azure portal. Go to the Microsoft Azure homepage → Microsoft Entra ID.

Related documentation

• To see more information on Microsoft connectors, see Microsoft connectors.
• To see more information on how to register an app, see Register an app.
• After you have set up the Microsoft 365 Action, refer to the Microsoft 365 agent article on how to test this action pack in the agent builder.