Setting up Passly with Microsoft 365 uses the Microsoft Graph API to federate Microsoft 365.
App registration in Azure
To make requests using Microsoft Graph API you need to register an app in Azure Portal. Passly supports a group synchronization using
an daemon app registration in an Azure Portal. To register an daemon application.
To Register an daemon application:
Click on Azure Active Directory.
Select App registrations on the left manage panel.
Press New registration.
Type a name of your application, for example “daemon sync”.
Select Supported account types for an application.
Press Register button.
Azure AD assigns a unique application (client) ID to your app. You need to give permissions to your application. A daemon application can request only application permissions to APIs (not delegated permissions). On the API permissions page for the application registration, after you've selected Add a permission and chosen the API family (Microsoft Graph), choose Application permissions, and then select your permissions.
1. Select API permissions, and then select Add a permission.
2. On the Request API permissions page, locate Microsoft Graph.
3. On the Required permissions page, select Application Permissions. and then select below permissions to enable the sync
Group > Group.Create, Group.ReadAll, Group.ReadWriteAll;
Domain > Domain.Read.All.
User > User.ReadWrite.All
4. On the Reporting API Application - API Permissions page, select Grant admin consent so the status column of the permissions table contains “Granted for <domain_name>“ status.
(this is created in Passly)
As with any confidential client application, you need to add a secret or certificate to act as that application's credentials so it can authenticate as itself, without user interaction.
To get a certificate go to Passly SSO Manager > Application Library > Your Office 365 application > Singing and Encryption.
There should be a valid signing certificate. Press download button to save it locally.
To upload a certificate to your Azure app registration:
Select Certificates & secrets > Certificates > Upload certificate
Select a previously downloaded certificate
Add a description
You can check the thumbprint of an uploaded certificate that should be equal to the one from Passly tab.
To enable Microsoft Graph API go to SSO Manager > Application Library > Your Office 365 application.
Check Enable Microsoft Graph API (it’s available under feature flag
You need to fill in the following settings:
Client ID - registered Azure Portal application id
Tenant ID - Azure AD tenant idTo verify the settings press Verify button. It calls test authentication request. If the authentication request succeeded Passly shows Is verified message.
Please see this guide.