Skip to content
AskVault Docs
Try Free →

Outlook OAuth setup for email assistant

Written by , Founder, AskVault · Reviewed by Aashiq
Last updated: · 3 min read

Two account types

Outlook.com (personal). Free Microsoft accounts. OAuth direct, no admin.

Microsoft 365 (work or school). Tenant-managed. May require IT admin approval for third-party apps.

For Microsoft 365 tenants with strict policies, your IT admin needs to approve AskVault first.

Setup walkthrough

About 5 to 15 minutes:

Step 1: connect

  1. Open Deploy Hub > Email > Connect Outlook.
  2. Click "Sign in with Microsoft".
  3. Pick the mailbox account.
  4. Approve scopes:
    • Read mail.
    • Send mail.
    • Manage drafts and folders.

Step 2: admin approval (Microsoft 365 only)

If your tenant requires approval:

  1. You'll see a consent screen indicating admin approval needed.
  2. Forward to your IT admin with the AskVault app ID (shown in the prompt).
  3. Admin approves via Azure Portal > App registrations.
  4. You re-authorize to complete connection.

Approval takes 1 to 3 business days depending on IT process.

Step 3: pick folder and label

After OAuth completes:

  • Pick the inbox folder to monitor.
  • Pick the label for bot-handled emails (e.g., "AskVault Handled").
  • Save.

Email channel active within 60 seconds.

Scopes requested

Three scopes:

  • Mail.Read. Read incoming messages.
  • Mail.Send. Send replies.
  • Mail.ReadWrite. Manage drafts and labels.

We don't request Calendars, Contacts, Files, or other Microsoft Graph scopes. Minimum-permission principle.

Token refresh

Microsoft OAuth tokens auto-refresh:

  • Access token. 1 hour validity. Auto-renews.
  • Refresh token. 90 days. If unused for 90 days, expires.

AskVault polls every 60 seconds; tokens stay fresh. Re-authorize if you see "Token expired" in dashboard.

Polling vs push (webhooks)

Microsoft Graph supports push notifications via webhooks (subscriptions). AskVault uses both:

  • Webhook for real-time (under 30 seconds latency).
  • Polling fallback every 60 seconds in case webhook gaps.

Webhook setup is automatic. No additional config.

Microsoft 365 vs Exchange on-premises

  • Microsoft 365 (cloud). Full OAuth support; this guide.
  • Exchange Online plan E1+ in M365. Same as M365 Cloud.
  • Exchange on-premises (Data Center). OAuth not supported. Use IMAP/SMTP via service-account credentials.

For Exchange on-prem, contact support for guidance.

Sender identity

By default, bot sends from the connected mailbox address. Customize:

  • Display name. "Acme Support Bot" while keeping address as support@yoursite.co.
  • Reply-To. Override if replies should route elsewhere.
  • BCC. Optional copy of every send to compliance archive.

Configure under Deploy Hub > Email > Sender Identity.

Common pitfalls

Admin approval pending. Your tenant blocked OAuth third-party apps. Get IT to approve specifically for AskVault.

Tokens expire after 90 days. No activity. Re-authorize; AskVault keeps tokens fresh during normal usage.

Replies land in spam. Sender domain SPF/DKIM/DMARC missing. Configure on your domain.

Microsoft Graph throttling. Heavy mailbox volume hits rate limits. AskVault auto-throttles; usually invisible.

FAQ

Does this work with Hotmail.com or Live.com?

Yes. Same OAuth flow as Outlook.com.

Can I connect multiple Outlook inboxes?

Yes. Up to 5 on Growth, 25 on Business.

Will the bot read every email?

Only the connected folder (typically INBOX). Subfolders not monitored unless added.

Does this support shared mailboxes?

Yes if the OAuth-connecting user has Delegated access.

Was this page helpful?