Configure Graph API in Microsoft Azure

The Graph API application in Microsoft Azure is used for gathering directory information (list of users, company, and subscription SKU info) and usage reports. To gather information via Graph API, the following information needs to be provided from Microsoft Azure:

  • Directory (tenant) Id

    The ID of the Microsoft Azure Active Directory to retrieve information from.

  • Application (client) Id

    The ID of the application that will connect to Microsoft Azure Active Directory, which in this case the integration connector.

  • Application (client) secret

    The key that will be used as the secret in the connection to Microsoft Azure.

Create Azure Active Directory application

  1. Login to Microsoft Azure portal.

  2. In the main menu, select Azure Active Directory and then select App registrations.

  3. To create a new application, select New registration.

    M365CreateAzureActiveDirectoryApplication.png
  4. Enter the following information:

    1. Enter Name for the application.

    2. Set Supported account types to Accounts in this organizational directory only.

    3. Set Redirect URI to Web and in the URI box enter http://localhost.

  5. Select Register to save the new application.

Add API access to Graph API and grant permissions

Add API access to Graph API and give the Graph API application permissions to read reports for all users in the Active Directory and access directory data (list of users, company, and subscription SKU info).

  1. In the Microsoft Azure portal, and in the main menu, select Azure Active Directory, and then select App registrations.

  2. Select All apps.

  3. Find and select the application you created in Create Azure Active Directory application.

  4. Select API Permissions.

  5. In the API Permissions view, select Add a permission.

  6. In the Request API permissions section, select Microsoft Graph.

  7. Configure Delegated permissions:

    1. Select Delegated permissions.

    2. Select offline_access in the list of permissions.

    3. Clear the User > User.Read permission, if it is selected.

  8. Configure Application permissions:

    1. Select Application permissions.

    2. Do one of the following:

      1. Select Directory > Directory.Read.All in the list of permissions.

      2. Select Organization > Organization.Read.All in the list of permissions AND Select User > User.Read.All in the list of permissions.

    3. If you want to collect last activity data for Microsoft 365 users, select Report.Read.All > Reports in the list of permissions. This step is only required if Include last activity checkbox is selected.

  9. Select Add permissions.

  10. Select Grant admin consent for [your company name].

    Note

    This step must be done by an admin user.

    M365APIPermissionsView.png

    An example of the API permissions view after admin consent is granted.

Locate Directory ID

  1. In the Microsoft Azure portal, navigate to the application you created.

  2. Copy the value in the Directory (tenant) ID box.

    Use it as the Directory Id when configuring the integration connector.

    M365LocateDirectoryID.png

Locate Application ID

  1. In the Microsoft Azure portal, navigate to the application you created.

  2. Copy the value of the Application (client) ID.

    Use it as the Application id when configuring the integration connector.

    M365LocateApplicationID.png

Locate Application secret

  1. In the Microsoft Azure portal, navigate to the application you created.

  2. Select Certificates & secrets.

  3. Create a new client secret with the following information:

    1. Select New client secret.

    2. Set Description to sim_secret_key.

    3. Set Expires to Never.

    M365LocateApplicationSecret.png
  4. Select Add.

    The client secret is displayed.

    Note

    Copy the value of the client secret before you leave this screen.

  5. Use the client secret as the Application secret when configuring the integration connector.