App registration
To make requests using Microsoft Graph API you need to register an app in Azure Portal. To register an application:
-
Go to Azure Portal https://portal.azure.com/#home
-
Click on Azure Active Directory
-
Select App registrations on the left manage panel
-
Press New registration
-
Type a name of your application, for example “passly app”
-
Select Supported account types for an application
-
Press Register button
Detailed info how to register an app in Azure Portal Register your app with the Azure AD v2.0 endpoint - Microsoft Graph.
App Permissions
Azure AD assigns a unique application (client) ID to your app. You need to give permissions to your application. A daemon application can request only application permissions to APIs (not delegated permissions). On the API permissions page for the application registration, after you've selected Add a permission and chosen the API family (Microsoft Graph), choose Application permissions, and then select your permissions.
To enable sync you need to select
Group > Group.ReadWriteAll;
Domain > Domain.ReadWrite.All;
User > User.ReadWrite.All;
Directory > Directory.ReadWrite.All;
Then press Grant admin consent so the Status column of the permissions table contains “Granted for <domain_name>“ status.
Example:
App Certificate
As with any confidential client application, you need to add a secret or certificate to act as that application's credentials so it can authenticate as itself, without user interaction.
To get a certificate go to Passly SSO Manager > Application Library > Your Office 365 application > Singing and Encryption.
There should be a valid signing certificate. Press download button to save it locally.
To upload a certificate to your Azure app registration:
-
Select Certificates & secrets > Certificates > Upload certificate
-
Select a previously downloaded certificate
-
Add a description
-
Press Add
You can check the thumbprint of an uploaded certificate that should be equal to the one from Passly tab.
Detailed information on how to grant permissions and add a certificate Register daemon apps that call web APIs - Microsoft Entra.
Passly setup
To use Microsoft Graph Federation go to SSO Manager > Application Library > Your Office 365 application.
Select Microsoft Graph option for federation.
You need to fill in the following settings:
-
Client ID - registered Azure Portal application id
-
Tenant ID - Azure AD tenant id
-
Domain - domain to federate