Adding Microsoft 365 (GRAPH API)

Setting up Passly with Microsoft 365 uses the Microsoft Graph API to federate Microsoft 365.

Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources. To get more familiar visit Use the Microsoft Graph API - Microsoft Graph.

To know the details of working with groups using Microsoft Graph API visit Working with groups in Microsoft Graph - Microsoft Graph v1.0.

App registration in Azure

To make requests using Microsoft Graph API you need to register an app in Azure Portal. Passly supports a group synchronization using an daemon app registration in an Azure Portal. To register an daemon application. 

To Register an daemon application:

  1. Go to Azure Portal Microsoft Azure

  2. Click on Azure Active Directory.

  3. Select App registrations on the left manage panel.

  4. Press New registration.

  5. Type a name of your application, for example “daemon sync”.

  6. Select Supported account types for an application.

  7. Press Register button.

Detailed info how to register an app in Azure Portal Register your app with the Azure AD v2.0 endpoint - Microsoft Graph.

App permissions 

Azure AD assigns a unique application (client) ID to your app. You need to give permissions to your application. A daemon application can request only application permissions to APIs (not delegated permissions). On the API permissions page for the application registration, after you've selected Add a permission and chosen the API family (Microsoft Graph), choose Application permissions, and then select your permissions.


1. Select API permissions, and then select Add a permission.



2. On the Request API permissions page, locate Microsoft Graph.

Screenshot shows the Request A P I permissions page where you can select Azure Active Directory Graph.


3. On the Required permissions page, select Application Permissions. and then select below permissions to enable the sync

Group > Group.Create, Group.ReadAll, Group.ReadWriteAll;
Domain > Domain.Read.All.
User > User.ReadWrite.All


On the Reporting API Application - API Permissions page, select Grant admin consent so the s
tatus column of the permissions table contains “Granted for <domain_name>“ status.


App certificate 

(this is created in Passly)

As with any confidential client application, you need to add a secret or certificate to act as that application's credentials so it can authenticate as itself, without user interaction.

To get a certificate go to Passly SSO Manager > Application Library > Your Office 365 application > Singing and Encryption.

There should be a valid signing certificate. Press download button to save it locally.


To upload a certificate to your Azure app registration:

  1. Select Certificates & secrets > Certificates > Upload certificate

  2. Select a previously downloaded certificate

  3. Add a description

  4. Press Add

You can check the thumbprint of an uploaded certificate that should be equal to the one from Passly tab.


Detailed information on how to grant permissions and add a certificate Register daemon apps that call web APIs - Microsoft identity platform.

Passly setup

To enable Microsoft Graph API go to SSO Manager > Application Library > Your Office 365 application.

Check Enable Microsoft Graph API (it’s available under feature flag Feature.MicrosoftGraphApi).

You need to fill in the following settings:

  • Client ID - registered Azure Portal application id

  • Tenant ID - Azure AD tenant id

    To verify the settings press Verify button. It calls test authentication request. If the authentication request succeeded Passly shows Is verified message.

Troubleshooting Assistance

Please see this guide.




Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us
Provide feedback for the Documentation team!