JavaScript Disabled This app requires JavaScript to function. Please enable it in your browser settings. Refresh Page

Connection Lost

Attempting to reconnect

Back to Overview

Microsoft Azure App Setup

Luka Breitig

Technical Product Builder & AI Developer

Before you begin

A Microsoft account or an Azure account (a free account at azure.microsoft.com is sufficient)
A domain with HTTPS configured
Tymeslot installed and running at your domain

By the end of this guide, you will have an Azure app registration configured for Microsoft Login, Outlook Calendar sync, and Teams meeting creation.

One App Registration, Three Features

A single Azure app registration covers all three Microsoft integrations in Tymeslot. You only need to go through this setup once.

Microsoft Login — let users sign in with their Microsoft account
Outlook Calendar — sync availability and create booking events
Microsoft Teams — auto-create Teams meeting rooms on every booking

Azure App Registration (also called "Azure AD App" or "Entra App" after Microsoft's 2023 rebrand of Azure Active Directory to Microsoft Entra ID) is Microsoft's equivalent of a Google OAuth app. The Azure Portal and Microsoft Entra admin center both give you access to the same app registrations.

1 Register an App in Azure

Go to portal.azure.com and sign in.
Type App registrations in the top search bar and select it from the results. (Alternatively: [Microsoft Entra ID] → [App registrations] in the left sidebar.)
Click [+ New registration].
Fill in the registration form:
- — Name: "Tymeslot"
- — Supported account types: select Accounts in any organizational directory and personal Microsoft accounts. This allows both personal Outlook.com accounts and work or school Microsoft 365 accounts to sign in.
- — Redirect URI: choose Web from the platform dropdown, then enter https://yourdomain.com/auth/microsoft/callback
Click [Register]. You land on the app's Overview page.

Only need personal Outlook accounts?

If your users are exclusively personal Microsoft account holders (Outlook.com, Hotmail, Live), you can select Personal Microsoft accounts only during registration. Note that Teams meeting creation is only available to Microsoft 365 accounts and will not work with personal accounts regardless of this setting.

2 Note Your Application ID

On the Overview page immediately after registration, locate and copy two values:

Application (client) ID — this becomes your MICROSOFT_CLIENT_ID.
Directory (tenant) ID — when supporting both personal and organizational accounts, set MICROSOFT_TENANT_ID=common in your environment. You only use the actual tenant ID if you are restricting login to a single Azure AD directory.

3 Create a Client Secret

In the left sidebar of your app registration, go to [Certificates & secrets] → [New client secret].

Description: "Tymeslot production" (helps identify it later)
Expires: 24 months is a reasonable choice — set a calendar reminder to rotate it before it expires
Click [Add]. A new row appears in the secrets list.
Copy the value from the Value column immediately. This is your MICROSOFT_CLIENT_SECRET.

The secret value is only visible once

As soon as you navigate away from this page, the Value column shows only a truncated preview. You cannot recover the full value. If you forget to copy it, delete the secret and create a new one — this does not affect your app registration or permissions.

4 Add API Permissions

Go to [API permissions] → [Add a permission] → [Microsoft Graph] → [Delegated permissions]. Search for and add each permission:

User.Read
Required for Microsoft Login — reads the signed-in user's name, email, and profile photo.
Calendars.ReadWrite
Required for Outlook Calendar sync — reads existing events to check availability and creates events for new bookings.
OnlineMeetings.ReadWrite
Required for Teams meeting creation. Only add this if you plan to use Teams rooms — skip it if you only need login or calendar sync.

After adding all permissions, click [Grant admin consent for (your org name)] if you have admin rights. A green tick appears next to each permission confirming consent has been granted.

Not an admin?

If you do not have admin rights, you can still save the permissions. Each user will be prompted to grant consent on their first sign-in. For OnlineMeetings.ReadWrite, however, admin consent is required regardless of account type — Teams online meeting creation cannot proceed without it.

5 Configure Environment Variables

Add the following to your Tymeslot environment configuration and restart the server.

# OAuth credentials (from Steps 2 and 3)
MICROSOFT_CLIENT_ID=your-application-client-id
MICROSOFT_CLIENT_SECRET=your-client-secret-value

# Use "common" to support both personal and organizational accounts
MICROSOFT_TENANT_ID=common

# Random secret used to sign the OAuth state parameter
MICROSOFT_STATE_SECRET=your-random-32-char-secret

Generate a secure state secret with:

openssl rand -hex 32

Common Errors

Calendar sync fails with "Insufficient privileges"

The Calendars.ReadWrite permission is either missing or admin consent was not granted for organisational accounts. Return to [API permissions] in your app registration, confirm the permission is listed, and click [Grant admin consent].

Teams meeting creation fails

Teams online meetings always require admin consent for OnlineMeetings.ReadWrite, even for personal account flows. Confirm the permission is present and that a green tick appears next to it in the [API permissions] list. If the tenant column shows "Not granted", an Azure admin must click [Grant admin consent].

"AADSTS50011: The redirect URI does not match"

The callback URL Tymeslot is sending does not match what was registered. Go to [Authentication] in your app registration, confirm the redirect URI listed there matches your domain exactly, including the https:// scheme and /auth/microsoft/callback path.

"AADSTS700016: Application not found in directory"

The MICROSOFT_CLIENT_ID environment variable does not match the Application (client) ID of your registration. Copy the value again from the Overview page of your app registration.

❓ Frequently Asked Questions

Azure returns 'AADSTS50011: The reply URL specified in the request does not match' — why?

The redirect URI registered in your Azure app must exactly match the URL Tymeslot sends during the OAuth flow. Common mismatches include a trailing slash ( /auth/microsoft/callback/ vs /auth/microsoft/callback ), using http:// in production instead of https://, or a domain mismatch (e.g., updating the domain without updating the Azure registration). Go to [Authentication] in your app registration and ensure the URI listed there is exactly https://yourdomain.com/auth/microsoft/callback.

I'm getting 'Need admin approval' when signing in — what does that mean?

Your Azure AD tenant has a policy requiring admin consent before users can authorise new applications. An Azure AD administrator must grant consent for the app permissions before anyone in the organisation can sign in. The admin can do this by navigating to [API permissions] in your app registration and clicking [Grant admin consent for (your org name)]. Alternatively, send the admin the admin consent URL, which follows the pattern https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}.

What's the difference between 'Delegated' and 'Application' permissions in Azure?

Tymeslot uses Delegated permissions exclusively. With delegated permissions, the application acts on behalf of the signed-in user — the user must consent, and the app can only access what that user can access. Application permissions are granted directly to the app itself (no user context), intended for background daemons and services. All permissions described in this guide — User.Read, Calendars.ReadWrite, and OnlineMeetings.ReadWrite — must be added as Delegated permissions.

Can I use the same Azure app registration for both personal (Outlook.com) and work (Microsoft 365) accounts?

Yes, provided you set Supported account types to Accounts in any organizational directory and personal Microsoft accounts during registration (or update it afterwards under [Authentication]). With this setting and MICROSOFT_TENANT_ID=common in your environment, both personal and organisational accounts will be able to sign in and connect their calendars. Note that Teams meeting creation requires a Microsoft 365 account — it is not available to personal Outlook.com accounts regardless of this setting.

My Azure app registration shows 'Unverified' — is that a problem?

For self-hosted Tymeslot instances, the "Unverified" label is expected and is not a blocker. Microsoft displays this warning for apps that have not completed their publisher verification process (which requires a verified Microsoft Partner Network account). Users will see an "unverified" notice on the consent screen when they first sign in, but they can still proceed. Publisher verification is optional and only relevant if you plan to distribute the app to external organisations at scale.

Verification Checklist

Confirm each of the following after restarting Tymeslot:

A Sign in with Microsoft button appears on the login page.
Clicking it redirects to Microsoft's login, then back to Tymeslot without error.
An Outlook Calendar connection option is visible under Dashboard → Settings → Integrations.
If using Teams: a Microsoft Teams option is visible under the Video integrations section, and creating a test booking produces a Teams link.

🔗 Related Articles

Google OAuth App Setup

Create a Google OAuth app to enable Google Login, Google Calendar sync, and Google Meet room creation.

GitHub Login Setup

Let users sign in with their GitHub account. A two-minute setup with no special API scopes required.

Generic SSO (OAuth / OIDC)

Connect any OAuth 2.0 / OpenID Connect identity provider for single sign-on. Supports Keycloak, Authentik, Lemonldap::NG, Okta, Azure AD, and more.