# Authenticating Microsoft accounts with Nylas

Source: https://developer.nylas.com/docs/provider-guides/microsoft/authentication/

After you [create an Azure application](/docs/provider-guides/microsoft/create-azure-app/), your next step is deciding how to authenticate your users to Nylas.

> **Info:** 
> **Nylas Hosted Auth follows the OAuth 2.0 flow, and Nylas takes care of the underlying authentication process**. To set up your auth flow, you must first configure Hosted Auth using either an [API key](/docs/v3/auth/hosted-oauth-apikey/) or an [access token](/docs/v3/auth/hosted-oauth-accesstoken/).

## Before you begin

Before you choose an authentication method, Nylas recommends you read the following documentation:

- [Hosted Authentication with an API key](/docs/v3/auth/hosted-oauth-apikey/)
- [Hosted Authentication with an access token](/docs/v3/auth/hosted-oauth-accesstoken/)
- [Bring Your Own Authentication](/docs/v3/auth/bring-your-own-authentication/)

You also need to complete the following prerequisites for your production application:

- [Complete Microsoft's domain verification process](https://docs.microsoft.com/en-us/microsoft-365/admin/setup/add-domain?view=o365-worldwide).
- [Become a Microsoft verified publisher](https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview).

### Authenticate Exchange accounts

> **Warn:** 
> **Microsoft [**announced the retirement of Exchange Web Services**](https://techcommunity.microsoft.com/t5/exchange-team-blog/retirement-of-exchange-web-services-in-exchange-online/ba-p/3924440) in 2022 and [**strongly recommended that all users migrate to use Microsoft Graph**](https://techcommunity.microsoft.com/t5/exchange-team-blog/ews-exchange-web-services-to-microsoft-graph-migration-guide/ba-p/3957158)**. Users on Exchange Online have already been migrated.

Nylas includes an EWS connector that you can use to authenticate accounts hosted on Exchange on-premises servers. Other types of Exchange accounts must upgrade to use Microsoft Graph scopes, then authenticate using the Microsoft connector.

For more information, see [Authenticate Exchange on-prem servers with Nylas](/docs/provider-guides/exchange-on-prem/).

### Authenticate Microsoft shared mailboxes

[Microsoft's shared mailboxes](https://learn.microsoft.com/en-us/microsoft-365/admin/email/about-shared-mailboxes?view=o365-worldwide) are individual mailboxes that multiple users can access. Each shared mailbox has its own email address and password.

> **Info:** 
> **Shared mailboxes might not have a set password when they're created**. In this case, you'll need to use Microsoft's password reset process to create a password before you can authenticate the shared mailbox with Nylas.

After you set a password for the shared mailbox, you can authenticate it with Nylas like any other Microsoft account. It functions as a regular user account with a grant in your Nylas integration.

## Set up Bring Your Own Authentication

Microsoft supports [modern authentication/OAuth](https://learn.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worldwide#what-is-modern-authentication) only. The flow follows these basic steps:

1. Your Nylas application completes the OAuth process with Microsoft and receives a `refresh_token` for the user's account.
2. Your application makes a [Bring Your Own Authentication request](/docs/reference/api/manage-grants/byo_auth/) to Nylas using the user's `refresh_token`.

   ```bash
   curl --request POST
     --url 'https://api.us.nylas.com/v3/connect/custom' \
     --header 'Accept: application/json' \
     --header 'Authorization: Bearer <NYLAS_API_KEY>'\
     --header 'Content-Type: application/json' \
     --data '{
       "provider": "microsoft",
       "settings": {
         "refresh_token":"<REFRESH_TOKEN>"
       },
       "state": "<STATE>"
     }'
   ```

3. Nylas creates a grant for the user and returns its details.