Skip to main content

Indexing connector setup and reference

This section covers setup requirements, permissions, and behavior specific to the Outlook indexing connector. For real-time access setup, see the overview.

Before you start

Have these in place before you configure the Outlook indexing connector:

  • Azure tenant administrator — an Azure tenant admin must grant admin consent for the Microsoft Graph application permissions below.
  • A registered Azure AD application — with the Microsoft Graph application permissions, and a certificate uploaded to the app registration (App registration → Certificates & secrets → Certificates). Indexing requires certificate-based authentication; a client secret works only for real-time access.
  • Microsoft 365 / Exchange Online — the connector supports Exchange Online only, not on-premises or legacy Exchange Server.
  • (Optional) Scoping decisions — an Azure AD product access group (productAccessGroupId) to limit which mailboxes are indexed, and an allowed sender-domain list.

Required permissions

Your Azure AD app needs the following Microsoft Graph application permissions, granted with admin consent by an Azure tenant admin.

Tell us what you need, and we’ll build the request.

The baseline permissions are always included. Select any extras below and the permission set updates instantly. Then copy it to hand to your IT or security team, so every scope is requested in one pass.

Permissions to request from IT
Microsoft Graph API Application
  • Mail.ReadRead access to messages across the mailboxes Glean indexes.
  • Calendars.ReadUsed to surface calendar events in the Glean Today card.
  • User.Read.AllReads directory users to map mailboxes to Glean users.
  • GroupMember.Read.AllReads group membership, including the product access group used to scope indexing.

What gets indexed

Content typeSupportNotes
Email messages and threadsFullThe Inbox, Sent folder, and other configured mail folders within each user's primary mailbox. Messages are grouped into threads for each user.
Message metadataFullSubject lines, participants (From, To, Cc, Bcc), sent/received timestamps, and conversation identifiers.
Email bodyText onlyText content of messages. Glean doesn't index formatting or inline media.
AttachmentsNot indexedThe Outlook connector doesn't index attachments. Attachment content may be searchable through the OneDrive or SharePoint connectors instead.

Known limitations

  • Message limit. Glean starts by indexing the most recent 5,000 messages for each user. As new messages arrive, the index updates and keeps at least those 5,000 messages by default. You can configure the lookback window.
  • Conversation thread cap. Glean truncates individual threads with more than 1,000 messages.
  • Excluded folders. Glean doesn't index the Junk Email (spam) or Deleted Items folders.
  • Online Archive mailboxes. Glean excludes separate Online Archive (In-Place Archive) mailboxes, but indexes the standard "Archive" folder within a user's primary mailbox.
  • Mailbox model. The connector doesn't support shared mailboxes, delegated mailboxes, group conversations, or public folders. It enforces a 1:1 relationship between a user and their primary mailbox.
  • Calendar events. The Outlook connector doesn't index calendar events for search, though it uses Calendars.Read to surface them on the Glean Today card. For calendar search and meeting transcripts, use the Teams connector.
  • Connector deletion. The Admin console doesn't offer self-service deletion; contact your Glean representative.

Crawling and freshness

The connector combines periodic full crawls with frequent incremental updates using Microsoft Graph delta queries.

  • Initial full crawl — crawls mailboxes for users in the configured product access group across the Inbox, Sent, and selected folders.
  • Incremental updates — delta queries on mail folders discover new messages, detect updates, and detect deletions or moves on a frequent schedule subject to Microsoft's Outlook mail API throttling limits (about 10,000 requests per 10 minutes per mailbox).
  • Deletion handling — when a user deletes messages or moves them to junk/spam, Glean removes the thread on the next incremental pass.

Glean's crawling system centrally manages crawl schedules; the Admin console has no connector-level crawl-frequency setting.

Setup instructions

Setup occurs in both the Azure portal and the Glean Admin console. Choose the guide that matches your retrieval and authentication needs:

Permissions and security

  • Permission propagation. Each thread belongs to a single mailbox owner from Azure AD, and only that owner sees the indexed email in Glean. Product access group membership and any allowed sender domains further restrict scope.
  • Read-only access. The Graph app uses only read scopes; Glean never writes or modifies Outlook data.
  • Authentication. Indexing requires a certificate. Real-time access supports certificate-based auth or client ID + secret.