Graph API Connector Prerequisites
Overview
Reveal supports integration with MS Teams for in-place preservation and data collection. This document describes the prerequisites for integrating Reveal with MS Teams.
Information Required for Integration
The following details are required for configuring O365 Office connector in Reveal.
Service account username and password which has been assigned the following roles:
eDiscovery Manager
Note:
Disable Multi factor Authentication for the service account.
Client ID and Tenant ID of the registered application in Azure.
Client secret generated for the application.
The below sections describe the steps to be carried out in O365 Office for integration with Reveal.
Create a Service Account in Office 365
To create a new Office 365 user, go to Users >Active users in the Office 365 admin center and click on Add a User.
Enter the details of the new user and click Finish Adding. The user will now appear in the list of active users.
Navigate to Permissions - Security & Compliance (office.com). Select eDiscovery Manager and click on Edit.
Figure: Edit eDiscovery Manager
Search for the service account to be added under eDiscovery Manager. Choose the service.
Figure: Add Service Accounts to eDiscovery Manager
Register Application in Azure
Registering an application establishes a trust relationship between the app and the Microsoft identity platform. The trust is unidirectional: the app trusts the Microsoft identity platform, and not the other way around.
Follow the steps given below to create the app registration:
Sign in to the Azure portal.
If access to multiple tenants is available, from the top menu, use the Directory + subscription filter to select the tenant in which the application is to be registered.
Search for and select Azure Active Directory.
Figure: Microsoft Azure Services
Under Manage, select App registrations > New registration.
Figure: New Registration
Enter a Display Name for the application. Users of the application might see the display name when they use the app, for example during sign-in. The display name can be changed at any time and multiple app registrations can share the same name. The app registration's automatically generated Application (client) ID, not its display name, uniquely identifies the app within the identity platform.
Figure: App Registration - Part 1
Figure: App Registration - Part 2
Specify Accounts in this organizational directory only can use the application. In some cases it is known as Sign-in audience.
Do not enter Redirect URI (optional). The following section describes how to configure a redirect URI.
Select Register to complete the initial app registration.
Add a Redirect URI
A redirect URI is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication. In a production web application, for example, the redirect URI is often a public endpoint where the app is running.
Figure: Redirect URI
Mobile and Desktop Applications
Select one of the suggested redirect URIs. For desktop applications using embedded browsers, https://login.microsoftonline.com/common/oauth2/nativeclient needs to be checked.
Select Configure to complete the platform configuration.
Add a Client Secret
The client secret is also known as an application password. It is a string value the app can use in place of a certificate to identify itself. The client secret is the easier of the two credential types to use.
To add a Client Secret, first select the application from App registrations in the Azure portal. Then follow the steps given below.
Select Certificates & secrets.
Select New client secret.
Add a Description and an Expiry for your client secret.
Select Add.
Record the secret's value for use in the client application code.
This secret value is never displayed again after leaving this page.
Figure: Certificates and Secrets
Add Permissions to Access Microsoft Graph
Configure delegated permission to Microsoft Graph to enable the client application to perform
operations on behalf of the logged-in user such as reading their email or modifying their profile. By default, users of the client app are asked when they sign in, to consent to the delegated permissions configured for it.
To configure permissions:
Choose API permissions to view the options.
Select Add a permission > Microsoft Graph.
Figure: Add Permission - Microsoft Graph
Select Delegated permissions. Microsoft Graph exposes many permissions, with the most commonly used shown at the top of the list.
Figure: Delegated Permissions
Under Select permissions, select the following permissions and navigate to Application. Permissions adjacent to Delegated permissions to Select Application permissions listed in below table.
API / Permissions name | Type | Description | Admin consent required |
Group.Read.All | Application | Read all groups | Yes |
User.Read.All | Application | Read all users' full profiles | Yes |
User.Read.All | Delegated | Sign in and read user profile | No |
Sites.Read.All | Application | Read Items in All Site Collections | Yes |
EDiscovery.ReadWrite.All | Delegated | Read and Write All eDiscovery objects | Yes |
Directory.Read.All | Application | Read Directory Data | Yes |
EDiscovery.Read.All | Delegated | Read Case, Custodian Data | Yes |
Files.Read.All | Delegated | List all files that user can access | No |
Group.Read.All | Delegated | Read all groups | Yes |
User.Read | Delegated | Sign in and read user profile | No |
Sites.FullControl.All | Application | Have full control of all site collections | Yes |
User.ReadWrite.All | Application | Read and write all users' full profiles | Yes |
eDiscovery.Download.Read | Delegated | Download all export set | Yes |
Figure: Configured Permissions
Add Permissions for collection using Microsoft Graph
We need to add one more permission named “eDiscovery.Download.Read” inside our enterprise app.
To add this permission , we need to open our same app which we created earlier while doing “Register Application in Azure”
After opening the app to configure permissions:
Choose API permissions to view the options.
Select Add a permission > API my Organization uses.
MicrosoftPurviewEDiscovery → Delegated permission → eDiscovery.Download.Read
Note:
If somehow “MicrosoftPurviewEDiscovery” is not searchable/visible while searching then search for “b26e684c-5068-4120-a679-64a5d2c909d9”.
Figure: Add Permission - Microsoft Graph
Figure: APIs my organization uses
Figure: Delegated permissions- eDiscovery.Download.Read
Give admin consent to this permission, and, final configured permissions should be:
API / Permissions name | Type | Description | Admin consent required |
Group.Read.All | Application | Read all groups | Yes |
User.Read.All | Application | Read all users' full profiles | Yes |
User.Read.All | Delegated | Sign in and read user profile | No |
Sites.Read.All | Application | Read Items in All Site Collections | Yes |
EDiscovery.ReadWrite.All | Delegated | Read and Write All eDiscovery objects | Yes |
Directory.Read.All | Application | Read Directory Data | Yes |
EDiscovery.Read.All | Delegated | Read Case, Custodian Data | Yes |
Files.Read.All | Delegated | List all files that user can access | No |
Group.Read.All | Delegated | Read all groups | Yes |
User.Read | Delegated | Sign in and read user profile | No |
Sites.FullControl.All | Application | Have full control of all site collections | Yes |
User.ReadWrite.All | Application | Read and write all users' full profiles | Yes |
eDiscovery.Download.Read | Delegated | Download all export set | Yes |
Either way, you should end up with an app registration that has been granted permissions to issue tokens for said resource. This is how the end result should look like:
Add Permissions for SharePoint
To add SharePoint API permission, click on add permission and add below permissions.
API / Permissions name | Type | Description | Admin consent required |
Sites.Read.All | Application | Read items in all site collections | Yes |
User.Read.All | Delegated | Read user profiles | Yes |
User.Read.All | Application | Read user profiles | Yes |
User.ReadWrite.All | Application | Read and write user profiles | Yes |