Connecting your tenant
Connecting a tenant is two AAD consent flows: a one-time Setup consent (elevated, self-deleting) and the daily-use Customer consent (the permissions that stay).
The Customer consent
You're agreeing to grant our daily-use app reg the permissions it needs to read your quarantine + release messages on your users' behalf.
| Permission | Type | Why we need it |
|---|---|---|
User.Read | Delegated | Identifies the signed-in user when they open the add-in. |
Exchange.ManageAsApp | Application | Lets our service call Get-QuarantineMessage and Release-QuarantineMessage for any user in your tenant. |
openid, profile, email | Delegated | Standard sign-in scopes. |
You can verify these on the Deployment → Permissions card at any time; we re-check them live every time you load the page.
The Setup consent
Separate, more powerful, but only used once. The Setup app:
- Assigns the Exchange Administrator directory role to our daily-use app's service principal. This is the role
Exchange.ManageAsAppneeds to actually do anything in Exchange Online. - Self-deletes from your Enterprise applications list once it's done its job.
After the run completes, the Setup app no longer exists in your tenant. You'll only see the daily-use Quarantine Customer app reg under Enterprise applications.
Revoking access
You can disconnect at any time:
- Inside the portal: Settings → Disconnect tenant. Stops billing on the next cycle and revokes our access on the next data refresh.
- Outside the portal: delete the Quarantine Customer (Production) entry from Enterprise applications in Entra ID. The portal will detect the missing consent on the next sign-in and prompt you to re-grant or close the account.
Common questions
Why two app registrations? The Setup app needs RoleManagement.ReadWrite.Directory to assign the Exchange Administrator role — too sensitive to leave consented indefinitely. Separating it lets you grant the elevated scope for one-time use, then revoke automatically.
Can I do this with a non-Global-Admin? Application Administrator is enough. Anything below that won't surface the consent buttons.
→ Next: Deploying the add-in covers sideloading the manifest into Outlook.