WATCHDESK — Station Setup Guide

Welcome

Setting up your station's sign-in for WATCHDESK

WATCHDESK uses your station's existing Google Workspace or Microsoft 365 account for sign-in. Members log in with their department email — no extra passwords to remember. This guide walks you through creating the credentials WATCHDESK needs.

No cost involved. Both Google OAuth and Microsoft Azure AD app registrations are included free with Google Workspace (including Nonprofits) and Microsoft 365 plans. No paid APIs or premium tiers are required.

                Time required: About 10–15 minutes. You'll need administrator access
                to your organization's Google Workspace or Microsoft 365 account.
            

                Before you start: Make sure you have your station's
                callback URL from the WATCHDESK administrator. It looks like
                https://watchdesk.org/auth/google/123/callback —
                you cannot complete the setup without it. If you received a setup email, the URL is included there.
            

Choose Your Identity Provider

Select the platform your station uses for email

Choose this if your station uses Google Workspace (Gmail, Google Drive, etc.) for department email — e.g., members have name@yourdomain.org addresses managed through Google.

Choose this if your station uses Microsoft 365 (Outlook, Teams, SharePoint, etc.) for department email — e.g., members have name@yourdomain.org addresses managed through Microsoft / Azure AD.

What You'll Need Before Starting

Make sure you have these ready

A Google Workspace administrator account for your station (the account that manages your @yourdomain.org emails)
Your Google Workspace domain (e.g., yourdomain.org)
Your station's callback URL from the WATCHDESK administrator
About 10–15 minutes of time

A Microsoft 365 Global Administrator or Application Administrator account
Your Microsoft 365 domain (e.g., yourdomain.org)
Your station's callback URL from the WATCHDESK administrator
About 10–15 minutes of time

Google Workspace Setup

Follow each step in order. Click through to the next when done.

Part A

Create a Google Cloud Project

Go to the Google Cloud Console

Open your web browser and go to the address below. Sign in with your Google Workspace administrator account (the one that manages your station's emails).

https://console.cloud.google.com

Accept Terms of Service and Set Up Billing

If this is your first time using the Google Cloud Console, you'll be asked to agree to the Terms of Service — check the box and click Agree and Continue.

Google may also ask you to set up a billing account before you can create a project. If so, click "Enable Billing" or "Create Billing Account" and follow the prompts. You'll need to enter a payment method (credit card), but you will not be charged.

Why does Google ask for billing? Google Cloud requires a billing account to create any project, even for free services. OAuth is completely free and does not generate any charges. You can set a $0 budget alert if you want extra peace of mind — but there is nothing in this setup that costs money.

If you already have a billing account set up, you can skip this step.

Create a New Project

At the very top of the page, you'll see a project dropdown (it may say "Select a project" or show an existing project name). Click it, then click "New Project".

Name the project WATCHDESK and click Create. Wait a few moments, then make sure the new project is selected in the dropdown at the top.

Part B

Enable the People API

Open the API Library

In the left sidebar, click APIs & Services, then click Library. In the search bar, type Google People API and click on it when it appears.

Enable the API

Click the blue "Enable" button. This allows WATCHDESK to read basic profile info (name and email) when members sign in. That's the only data it accesses.

Part C

Configure the OAuth Consent Screen

Navigate to the OAuth Consent Screen

In the left sidebar, click APIs & Services, then click OAuth consent screen.

Choose "Internal" User Type

Select "Internal" and click Create.

Why "Internal"? This means only members of your Google Workspace organization can sign in. No one outside your domain will be able to use these credentials. This is the most secure option.

Fill in the Consent Screen Details

You only need to fill in three fields:

App name: type WATCHDESK
User support email: select your admin email from the dropdown
Developer contact email: type your admin email address

You can skip the logo and app domain fields. Scroll down to Authorized domains and add watchdesk.org — this is required because the sign-in redirect points to the WATCHDESK website. Then click Save and Continue.

Scopes — Just Skip This Page

You don't need to add anything on this page. Just click Save and Continue.

Review Summary

Review the summary and click Back to Dashboard. The consent screen setup is done.

Part D

Create OAuth Credentials

Navigate to Credentials

In the left sidebar, click APIs & Services, then click Credentials.

Create OAuth Client ID

At the top of the page, click "+ Create Credentials", then choose "OAuth client ID" from the dropdown menu.

Configure the Client

Fill in these two fields:

Application type: select Web application from the dropdown
Name: type WATCHDESK

Add Authorized Redirect URI

Scroll down to the "Authorized redirect URIs" section and click "+ Add URI". Paste in the callback URL that the WATCHDESK administrator gave you. It looks like this:

https://watchdesk.org/auth/google/YOUR_STATION_ID/callback

                            Important: Use the exact URL the WATCHDESK administrator provided — including your actual station ID number (not "YOUR_STATION_ID"). It must match perfectly or sign-in will not work.
                        

Create and Copy Your Credentials

Click "Create". A dialog will pop up showing two values:

Client ID — a long string ending in .apps.googleusercontent.com
Client Secret — a shorter alphanumeric string

Copy both values now and save them somewhere safe. You'll send them to the WATCHDESK administrator in the next step.

Microsoft 365 Setup

Follow each step in order. Click through to the next when done.

Part A

Go to Azure Portal

Open the Azure Portal

Open your web browser and go to the address below. Sign in with your Microsoft 365 administrator account.

https://portal.azure.com

Navigate to Azure Active Directory

In the search bar at the top of the page, type Azure Active Directory and select it from the results. (It may also appear as Microsoft Entra ID — that's the same thing with a new name.)

Part B

Go to App Registrations

In the left sidebar, click "App registrations".

Create a New Registration

At the top of the page, click "+ New registration". Fill in the following:

Name: type WATCHDESK
Supported account types: select "Accounts in this organizational directory only" (this is the single-tenant option)

Why "this organizational directory only"? This means only members of your Microsoft 365 organization can sign in. No one outside your directory will be able to use these credentials. This is the most secure option.

Add Redirect URI

Still on the same page, find the "Redirect URI" section. Select "Web" from the dropdown, then paste in the callback URL the WATCHDESK administrator gave you. It looks like this:

https://watchdesk.org/auth/microsoft/YOUR_STATION_ID/callback

                            Important: Use the exact URL the WATCHDESK administrator provided — including your actual station ID number (not "YOUR_STATION_ID"). It must match perfectly or sign-in will not work.
                        

Complete the Registration

Click "Register". You'll be taken to the application's overview page. Stay on this page — you'll need it for the next step.

Part C

Copy the Application (Client) ID and Tenant ID

Copy the IDs from the Overview Page

On the overview page, you'll see two important values. Copy both of them and save them somewhere safe:

Application (client) ID — a UUID that looks like xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Directory (tenant) ID — another UUID in the same format

Part D

Create a Client Secret

Navigate to Certificates & Secrets

In the left sidebar of your app registration, click "Certificates & secrets".

Create a New Client Secret

Click "+ New client secret" and fill in:

Description: type WATCHDESK
Expires: choose 24 months (recommended) or your preferred duration

Click "Add".

Copy the Secret Value Immediately

A new row will appear in the table. Look for the "Value" column (not the "Secret ID" column) and copy it right away.

                            Critical: You can only see this value once. If you navigate away from this page without copying it, you'll need to delete this secret and create a new one. Treat it like a password.
                        

Part E

Add API Permissions

Navigate to API Permissions

In the left sidebar, click "API permissions".

Verify the Default Permission

You should already see Microsoft Graph > User.Read listed as a delegated permission. This is added automatically and is all WATCHDESK needs.

If it's not listed, click "+ Add a permission" → "Microsoft Graph" → "Delegated permissions" → search for User.Read → check the box → click "Add permissions".

That's the only permission needed. WATCHDESK only reads the member's name and email address during sign-in. It does not access mail, files, calendars, or any other Microsoft 365 data.

Grant Admin Consent (Optional but Recommended)

Click "Grant admin consent for [your organization]" and confirm when prompted. This pre-approves the permission so your members won't see a consent popup on their first sign-in.

What to Send to the WATCHDESK Administrator

You're almost done — just send these items back

Once you've completed the Google Workspace setup above, send the following three items to the WATCHDESK administrator:

Client ID — the long string ending in .apps.googleusercontent.com
Client Secret — the shorter secret string
Your Google Workspace domain — e.g., yourdomain.org

Once you've completed the Microsoft 365 setup above, send the following four items to the WATCHDESK administrator:

Application (Client) ID — the UUID from the app overview page
Client Secret Value — the secret you copied (not the Secret ID)
Directory (Tenant) ID — the UUID from the app overview page
Your Microsoft 365 domain — e.g., yourdomain.org

                Security note: These credentials should be treated like passwords. Send them through a secure channel — a direct message, phone call, or encrypted email. Don't post them in a group chat or public forum.
            

That's it — you're done! The WATCHDESK administrator will configure your station and let you know when sign-in is ready. Members will go to watchdesk.org, select your station, and sign in with their existing department email.

Frequently Asked Questions

Common questions about this setup

Does this cost anything?

No. Google OAuth and Azure AD app registrations are both free with all Google Workspace and Microsoft 365 plans, including nonprofit editions. There are no API fees.

What data does WATCHDESK access?

Only the member's name and email address. WATCHDESK does not access emails, files, calendars, or any other Google Workspace or Microsoft 365 data.

Can people outside our organization sign in?

No. The "Internal" (Google) and "Single tenant" (Microsoft) settings restrict access to members of your organization only.

What if our Microsoft client secret expires?

Azure AD secrets have an expiration date you chose during setup. When it's about to expire, create a new secret in the Azure Portal under your app's Certificates & secrets page and send the new value to the WATCHDESK administrator. Google OAuth secrets do not expire.

Can we revoke access later?

Yes. You retain full control. Delete or disable the OAuth credentials in your Google Cloud Console or Azure Portal at any time to immediately prevent sign-in.