Modern authenticationRegistering applications for Token VaultRegister a Microsoft 365 Application for Token Vault

Register a Microsoft 365 Application for Token Vault

To register a Microsoft 365 application for Token Vault, you need to specify certain properties of this Azure Active Directory application (Application (client ID), Client secret and Redirect URI).

This topic describes the first configuration task in the process of setting up an Exchange or SharePoint connector or an Microsoft 365 email inbox watcher via POP3/IMAP to use modern authentication.

Perform this task at the Microsoft Identity Platform (Azure Active Directory) admin center.

  1. Navigate to https://portal.azure.com.

    Your organization may use a national cloud because of data residency or compliance requirements. In this case, navigate to the corresponding national cloud Azure AD portal endpoint instead.

  2. Log in with an existing Microsoft 365 account.
  3. Select Azure Active Directory in the left navigation pane.
  4. Select App registrations.

    The App registrations page opens.

  5. Click the New registration button to register a new application.

    The Register an application page opens.

  6. Fill out the registration information of application:
    1. Specify a Name for the application.

      The authorization process shows this name when asking end users to grant permissions for the application to access their cloud resources, so it is advised to pick a meaningful name.

    2. Choose an account type under Supported account types.

      While registering a Microsoft 365 Authorization provider in Token Vault, the Supported account type and Tenant name must be configured according to this application property.

    3. From the Redirect URI (optional) list choose Web type and enter the URI corresponding to your Token Vault configuration in the following format:

      https://<FQDN>:<port>/callback

      where:

      • FQDN is the fully qualified domain name of the Token Vault machine.

      • port is the value of the HTTPS Port setting configured on the Token Vault Server Settings page in case of https usage.

      For example: https://tokenvaultmachine.testdomain.com:8381/callback.

      This URI must be the same as the Redirect URI displayed by Token Vault on the Authorization Provider registration page.

  7. Click Register.

    The new application is created with the specified name and a generated Application (client) ID but the application does not have any certificate or secret yet.

  8. Copy the Application (client) ID for later use.

    This is required for the creation of a new Microsoft 365 Authorization Provider in Token Vault.

  9. Select Certificates & secrets in the menu on the left.
  10. Click the New client secret button in the panel on the right to generate a new client secret for the application.
  11. Specify a Description and select the expiry option according to your policy requirements.
  12. Click the Add button.
  13. Copy the newly generated client secret value for later use.

    This is another required application property for registering an Microsoft 365 Authorization Provider in Token Vault.

    You can only copy the client secret at this point in the workflow. After you leave this page you are not able to retrieve it. If you leave this page without copying the client secret, you must repeat the corresponding steps above and create a new one.

Still in Microsoft Identity Platform (Azure Active Directory) admin center, set the permissions of the Microsoft 365 application depending on which eCopy ShareScan connectors and/or email inbox watchers you want to configure with Microsoft 365 and modern authentication. Add only those permissions that are required.

Use eCopy ShareScan Exchange Connector with Microsoft 365 and modern authentication:

To use eCopy ShareScan Exchange Connector, configure the permissions by doing the following:

  1. Select API permissions in the menu on the left and click Add a permission button on the API permissions page.
  2. Click the Microsoft Graph under the Commonly used Microsoft APIs group on the Request API permissions page. Microsoft Graph API is displayed on Request API Permissions page.
  3. Select Delegated permissions.
  4. Locate the EWS permission group and select the EWS.AccessAsUser.All check box.
  5. Click the Add permissions button to complete the permission configuration process.

Use eCopy ShareScan SharePoint Connector with Microsoft 365 and modern authentication:

To use eCopy ShareScan SharePoint Connector with Microsoft 365 and modern authentication, configure the permissions by doing the following:

  1. Select API permissions in the menu on the left and click Add a permission button on the API permissions page.
  2. Locate SharePoint under the Commonly used Microsoft APIs group on the Request API permissions page and click it. The SharePoint API is displayed on Request API Permissions page.
  3. Select Delegated permissions.
  4. Locate the AllSites permission group and select the AllSites.Write check box.
  5. Locate the MyFiles permission group and select the MyFiles.Write check box to allow the application to access OneDrive for Business resource.
  6. Locate TermStore permission group and select the TermStore.Read.All check box to allow the application to read data of managed metadata. This permission is required if Managed metadata columns are configured and used in your SharePoint Online tenant. For this permission admin consent is required.
  7. Click the Add permissions button.

    There might be a delay between permissions being configured and when they appear on the consent prompt.

  8. If you select TermStore.Read.All permission, and permissions are configured and appeared on the consent prompt, click on the Grant admin consent for… button to allow this app to read managed metadata.

  9. The application now has permissions to access SharePoint Online resources.

    If sensitivity labels are configured and used in your SharePoint Online tenant, and you want to use them in eCopy ShareScan SharePoint connector as well, additional permissions are required to be configured. Continue with step 10 to do it.

  10. On the API permissions page, click Add a permission button.
  11. On the Select an API page, click APIs my organization users.

    In the search field, type Microsoft Information Protection Sync Service, and select it.

  12. Select Delegated permissions on the Request API Permissions page.
  13. Locate the UnifiedPolicy permission group and select the UnifiedPolicy.User.Read check box to allow the application to get user sensitivity labels, and set sensitivity label without protection settings on documents.
  14. Click the Add permissions button.
  15. Stay on the API permissions page, and click Add a permission button.
  16. Under the Commonly used Microsoft APIs group on the Request API permissions page, locate Azure Rights Management Services, and select it.

    The Azure Rights Management Services API is shown on Request API Permissions page.

  17. Select Delegated permissions.
  18. Locate the Permissions permission group, and select the user_impersonation check box to allow the application to apply a user sensitivity label configured with protection settings on documents.

    This permission is required if sensitivity labels with protection settings are configured and used in your SharePoint Online tenant.

Use eCopy ShareScan email inbox watcher via POP3 with Microsoft 365 email server and modern authentication:

To use eCopy ShareScan email inbox watcher via POP3 with Microsoft 365 email server and modern authentication, configure the permissions by doing the following:

  1. Select API permissions in the menu on the left and click Add a permission button on the API permissions page.
  2. Click the Microsoft Graph under the Commonly used Microsoft APIs group on the Request API permissions page. Microsoft Graph API is displayed on Request API Permissions page.
  3. Select Delegated permissions.
  4. Locate the POP permission group and select the POP.AccessAsUser.All check box.
  5. Click the Add permissions button.

Use eCopy ShareScan email inbox watcher via IMAP with Microsoft 365 email server and modern authentication:

To use eCopy ShareScan email inbox watcher via IMAP with Microsoft 365 email server and modern authentication, configure the permissions by doing the following:

  1. Select API permissions in the menu on the left and click Add a permission button on the API permissions page.
  2. Click the Microsoft Graph under the Commonly used Microsoft APIs group on the Request API permissions page. Microsoft Graph API is displayed on Request API Permissions page.
  3. Select Delegated permissions.
  4. Locate the IMAP permission group and select the IMAP.AccessAsUser.All check box.
  5. Click the Add permissions button.

Use eCopy ShareScan Notification service with Microsoft 365 SMTP server and modern authentication:

To use eCopy ShareScan Notification service with Microsoft 365 SMTP server and modern authentication, configure the permissions by doing the following:

  1. Select API permissions in the menu on the left, and click Add a permission button on the API permissions page.
  2. Click the Microsoft Graph under the Commonly used Microsoft APIs group on the Request API permissions page. Microsoft Graph API is displayed on Request API Permissions page.
  3. Select Delegated permissions.
  4. Locate the SMTP permission group and select the SMTP.Send check box.
  5. Click the Add permissions button.