App registration
To make requests using Microsoft Graph API you need to register an app in Azure Portal. To register an application:
-
Go to Azure Portal https://portal.azure.com/#home
-
Click on Azure Active Directory
-
Select App registrations on the left manage panel
-
Press New registration
-
Type a name of your application, for example “passly app”
-
Select Supported account types for an application
-
Press Register button
Detailed info how to register an app in Azure Portal Register your app with the Azure AD v2.0 endpoint - Microsoft Graph.
App Permissions
Azure AD assigns a unique application (client) ID to your app. You need to give permissions to your application. A daemon application can request only application permissions to APIs (not delegated permissions). On the API permissions page for the application registration, after you've selected Add a permission and chosen the API family (Microsoft Graph), choose Application permissions, and then select your permissions.
To enable sync you need to select
Group > Group.ReadWriteAll;
Domain > Domain.ReadWrite.All;
User > User.ReadWrite.All;
Directory > Directory.ReadWrite.All;
Then press Grant admin consent so the Status column of the permissions table contains “Granted for <domain_name>“ status.
Example:
Roles And Administrators
App registration must be a member of Global Admin role to be able to federate a domain. On a Azure Portal > Azure Active Directory > Roles and administrators page search for Global Administrator role.
Select that role and click on Add assignments. Search for your app registration name “passly app“, select ir and press Add.
App Certificate
As with any confidential client application, you need to add a secret or certificate to act as that application's credentials so it can authenticate as itself, without user interaction.
To get a certificate go to Passly SSO Manager > Application Library > Your Office 365 application > Singing and Encryption.
There should be a valid signing certificate. Press download button to save it locally.
To upload a certificate to your Azure app registration:
-
Select Certificates & secrets > Certificates > Upload certificate
-
Select a previously downloaded certificate
-
Add a description
-
Press Add
You can check the thumbprint of an uploaded certificate that should be equal to the one from Passly tab.
Detailed information on how to grant permissions and add a certificate Register daemon apps that call web APIs - Microsoft Entra.
Passly setup
To use Microsoft Graph Federation go to SSO Manager > Application Library > Your Office 365 application.
Select Microsoft Graph option for federation.
You need to fill in the following settings:
-
Client ID - registered Azure Portal application id
-
Tenant ID - Azure AD tenant id
-
Domain - domain to federate