Integrate Ampler with Microsoft Azure AD / Entra ID

Ampler can communicate with Microsoft Graph to retrieve the current user’s profile from Entra ID. This data can be used in Dynamic Fields in PowerPoint/Word to automatically populate presentations and documents with the user’s name, job title, department, office location, etc. It can also be used to automatically create E-mail Signatures in Outlook.

Ampler uses delegated permissions when communicating with Microsoft Graph. This means Ampler accesses data on behalf of the signed-in user and only within the permissions granted by your organization. All data access happens locally on the user’s machine. Ampler does not provide us as a company access to your tenant or user data, and no user data is transmitted to our servers.

If your organization uses multiple Microsoft Entra tenants, an administrator must complete steps 1–4 separately in each tenant that should allow Ampler access. Consent is granted per tenant, and an Enterprise Application for Ampler is created in each tenant individually.

To allow Ampler to communicate with Microsoft Graph, an Azure administrator should perform these steps:

1. Click the following link to grant admin consent: https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=b086183f-47f9-4473-b10e-a03296751fd6&scope=.default&redirect_uri=https://my.ampler.io/adminconsent
2. If prompted, log in with an Azure Administrator account that has the necessary permissions to add an Enterprise Application in your Entra ID
3. Review the permissions that Ampler requires. Administrators can review or revoke these permissions at any time in the Microsoft Entra admin center under Enterprise Applications.
   

   Permission	Explanation	Why is it needed
   email	Provides access to the user’s email address as part of the identity token.	Used to identify the user and populate signature fields such as email address.
   offline_access	Allows the app to receive a refresh token so it can access resources even when the user is not actively signed in.	Enables background updates of signatures (e.g. when user data changes) without requiring the user to log in again.
   openid	Required for OpenID Connect authentication; allows the app to sign in the user and receive an ID token.	Needed to authenticate users securely and establish their identity in the application.
   profile	Provides basic user profile information such as name and preferred username.	Used to populate signature fields like full name and display name.
   MailboxSettings.ReadWrite	Allows reading and updating mailbox settings such as automatic replies, time zone, and other mailbox preferences.	Required to allow Ampler to configure default signatures directly in the user’s mailbox settings.
   User.Read	Allows reading the signed-in user’s basic profile information from Microsoft Graph.	Used to retrieve user details (name, email, job title, etc.) for generating the user’s own email signature.
   User.Read.All	Allows reading the full profile information for all users in the organization.	Enables users to create user profiles for other users, e.g. users who send from shared mailboxes or on behalf of others (such as personal assistants sending on behalf of their manager).
   User.ReadBasic.All	Allows reading basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name and email address.	Enables users to create user profiles for other users, e.g. users who send from shared mailboxes or on behalf of others (such as personal assistants sending on behalf of their manager).
   Files.Read.All	Allows reading all files the signed-in user can access.	Signature templates are stored on your own SharePoint. Thus, Ampler needs to be able to download those signature templates in order to generate the actual email signatures.
   Presence.Read.All	Allows reading presence information (e.g. available, busy) for all users in the organization.	This is only required for a feature in the full Ampler for Outlook add-in, where users can queue an email to be sent when the recipient becomes available in Teams. If you only use the email signature functionality, or only use Dynamic Fields for PowerPoint and Word, this permission is not used.

4. Click Accept to grant admin consent for your organization.
5. In either PowerPoint, Word or Outlook, go to Ampler > Settings > Company Settings > Integrations. Fill out the ‘Azure’ section like shown below:
   • Tenant ID: your Azure tenant ID.

     If you use multiple tenants, then write: organizations

   • Azure Ampler App Id: b086183f-47f9-4473-b10e-a03296751fd6
6. Click ‘Publish Settings’
7. Ampler now has access to Microsoft Graph. Your Ampler installations will automatically connect to Microsoft Graph if possible or prompt users to log in the next time they start Outlook, PowerPoint or Word.