Basic and Pro

Outlook / Microsoft 365 OAuth setup (administrator)

Connect Outlook.com and Microsoft 365 mailboxes to MailDesk using Microsoft's OAuth2 sign-in over the Microsoft Graph API. As with Gmail, no email password is stored in Odoo — Microsoft handles the login and returns a revocable token. This page is for the Odoo administrator who registers the application once for the company. Afterwards, each Outlook mailbox is authorized with a single Microsoft sign-in from inside MailDesk.

7 min read Basic and Pro

Basic connects Outlook for reading and the engine's own actions, requesting Microsoft Graph Mail.Read access (plus offline refresh).
Pro requests broader Microsoft Graph Mail.ReadWrite access (plus offline refresh) so it can perform two-way changes back to Outlook — marking read/unread, moving messages, and deleting. The Azure app registration is the same for both; Pro simply asks for the wider permission when a mailbox is authorized.

MailDesk uses its own Microsoft Graph connection

This is not Odoo's built-in Outlook integration (the one used to send mail from CRM and other Odoo forms). MailDesk has its own Graph OAuth flow and stores its tokens on the mailbox account. Configuring Odoo's standalone Outlook settings does not configure MailDesk, and you do not need to.

What it does

You register an application in Microsoft Entra ID (Azure Active Directory), create a client secret, grant the Microsoft Graph mail permission, and enter the application's Client Id and Client Secret into MailDesk. Connecting an Outlook mailbox is then a one-time Microsoft sign-in; MailDesk receives a token and a refresh token and never sees the password.

Why it matters

No passwords stored, and access can be revoked from Microsoft at any time.
Efficient delta sync over Microsoft Graph instead of legacy full-mailbox scanning.
One company-wide setup: register the app once; users then authorize their own mailboxes.

Requirements

A Microsoft Entra ID / Azure account that can create an app registration (Azure portal). For company mailboxes this is normally your Microsoft 365 tenant administrator.
Your Odoo server reachable over HTTPS at a stable public address. Microsoft rejects OAuth redirects to plain http://.
Administrator access to Odoo, including the technical settings.
MailDesk works on Odoo 17, 18, or 19 — the steps below are the same on each.

Permissions required

The Outlook credentials fields are restricted to Odoo Settings administrators (the Administration: Settings access group). Only such a user can view or change the Outlook Client Id and Secret.
Creating mailbox accounts and authorizing them is available to MailDesk administrators.

Step 1 — Register the application in Azure

Open the Azure portal and go to Microsoft Entra ID (or Azure Active Directory) → App registrations.
Click New registration and give it a name (for example MailDesk).
Choose the supported account types:
- Single tenant — recommended for a single organization; only your organization's users can authorize.
- Multitenant — for multiple organizations.
- Multitenant and personal Microsoft accounts — also allows Outlook.com / Hotmail sign-ins.
Under Redirect URI, choose platform Web and enter exactly:
```
https://YOUR-ODOO-DOMAIN/microsoft_outlook/confirm
```
Replace YOUR-ODOO-DOMAIN with your Odoo address — for example https://erp.example.com/microsoft_outlook/confirm.
Click Register.

Redirect URI and platform must be exact

MailDesk always sends Microsoft to {web.base.url}/microsoft_outlook/confirm. The value in Azure must match character-for-character, and the platform must be Web (not Single-page application or Mobile). A mismatch causes Microsoft error AADSTS50011.

On the registration's Overview page, copy the Application (client) ID. If you chose single tenant, also note the Directory (tenant) ID.

Step 2 — Create a client secret

In the app registration, open Certificates & secrets.
Click New client secret, give it a description, choose an expiry, and click Add.
Copy the secret Value immediately — Azure shows it only once. If you lose it, create a new one.

Secrets expire — plan a rotation

Client secrets have a maximum lifetime. Note the expiry and replace the secret before it lapses by creating a new one and updating MailDesk (Step 5).

Step 3 — Add the Microsoft Graph permission

Open API permissions → Add a permission → Microsoft Graph → Delegated permissions.
Add the mail permission your deployment needs:
- Mail.Read — sufficient for Basic.
- Mail.ReadWrite — required for Pro's two-way changes (mark read, move, delete). Adding Mail.ReadWrite also covers reading, so a deployment that runs Pro can grant just Mail.ReadWrite.
The refresh permission (offline_access) is a standard OpenID Connect permission that MailDesk requests automatically during sign-in, so you do not need to add it here.

Use Delegated, not Application, permissions

MailDesk connects on behalf of the signed-in user. Grant Delegated Graph permissions; do not grant Application permissions, which use a different, broader access model.

If your organization requires administrator approval for delegated permissions, open API permissions and click Grant admin consent for [your organization]. Users can then authorize without each seeing an individual consent prompt. This is optional for personal accounts and for individual-consent testing.

Step 5 — Enter the credentials in MailDesk

MailDesk stores the Outlook Client Id and Secret per company. There are two equivalent places to enter them.

Option A — MailDesk settings

In Odoo, go to Settings, open the MailDesk section, and find the OAuth Settings block.
Turn on Use an Outlook Server.
Enter the Microsoft ID (the Application/client ID) and Secret from Steps 1–2.
Save.

The values you see and edit here belong to the company selected in the top-right company switcher.

Option B — Company form

Go to Settings → Users & Companies → Companies and open the company.
Open the Mail OAuth tab.
Under Outlook OAuth, fill in Outlook Client Id and Outlook Client Secret.
Save.

Single-tenant, multi-company, and the legacy fallback

MailDesk reads the credentials in a fixed order: it uses the company's Outlook Client Id and Secret first, and only if those are empty does it fall back to the older system-wide Outlook credentials in Odoo's system parameters. For a single-tenant app, MailDesk also resolves the correct Microsoft sign-in address: it uses the standard common endpoint by default, or your tenant-specific endpoint when an older tenant configuration is present. When you upgrade an existing single-company install, MailDesk automatically copies any previous system-wide Outlook credentials onto your main company.

Step 6 — Check the Odoo base URL

MailDesk builds the redirect URI from Odoo's base URL, so it must match what you registered in Azure.

Go to Settings → Technical → System Parameters.
Find web.base.url. It should be your public HTTPS address with no trailing slash (for example https://erp.example.com).
Correct it if needed and save.

Step 7 — Connect and authorize an Outlook mailbox

Go to MailDesk → Configuration → Mailboxes → Mailbox Accounts and create a new account.
Set the account name and the Outlook email address, and link it to an Outlook incoming mail server. Save.
Click Connect Microsoft Graph (OAuth) in the form header. (This button appears only for Outlook accounts.)
Complete the Microsoft sign-in and accept the requested permissions. Microsoft returns you to the mailbox account in Odoo, and the mailbox begins syncing.

Expected result

After sign-in the mailbox connects and MailDesk starts an initial fill of the newest messages, then continues loading history in the background through its scheduled background jobs. New mail then arrives automatically on the regular sync schedule. On Pro, changes you make in MailDesk (read/unread, move, delete) are written back to Outlook.

Troubleshooting

Symptom	Likely cause	What to do
`AADSTS50011` redirect mismatch	The Azure redirect URI does not exactly match `{web.base.url}/microsoft_outlook/confirm`, or the platform is not Web	Compare `web.base.url` (Step 6) with the Azure value; fix scheme, domain, trailing slash, and platform
Clicking Connect Microsoft Graph (OAuth) shows a "not configured" style error	The Outlook Client Id or Secret is empty for this company	Enter them via Step 5; confirm you are on the correct company
Sign-in returns with an invalid-secret error	The secret in MailDesk is wrong or has expired	Create a fresh secret in Azure (Step 2) and update it in MailDesk
Microsoft asks for administrator approval	Your organization requires admin consent for delegated permissions	Have a tenant admin grant consent (Step 4)
A user from another organization cannot authorize	The app is single-tenant	Change the app's supported account types to allow other tenants, and use the common sign-in endpoint
Pro changes do not write back to Outlook	The mailbox was authorized with read-only access	Confirm Mail.ReadWrite is granted in Azure (Step 3), then re-authorize the mailbox from Step 7 so the wider permission is consented

Handling the Client Secret responsibly

The Client Id and Secret are stored in the Odoo database and are visible only to Settings administrators. They are never written to logs.
Treat the Secret like any credential: do not paste it into tickets, chat, or version control. Set a reminder to rotate it before it expires (Step 2), and replace it immediately after any suspected exposure.
For separate dev / staging / production servers, register a separate app (or at least a separate redirect URI) per environment so each environment has its own credentials and isolated secret rotation.