Register a Microsoft 365 Application for Token Vault
To register a Microsoft 365 application for Token Vault, you need to specify certain properties of this Azure Active Directory application (Application (client ID), Client secret and Redirect URI).
This topic describes the first configuration task in the process of setting up an Exchange or SharePoint connector or an Microsoft 365 email inbox watcher via POP3/IMAP to use modern authentication.
Perform this task at the Microsoft Identity Platform (Azure Active Directory) admin center.
- Navigate to
https://portal.azure.com.
Your organization may use a national cloud because of data residency or compliance requirements. In this case, navigate to the corresponding national cloud Azure AD portal endpoint instead.
-
https://portal.azure.us – for Azure AD for US Government.
-
https://portal.microsoftazure.de – for Azure AD Germany.
-
https://portal.azure.cn – for Azure AD China operated by 21Vianet.
-
- Log in with an existing Microsoft 365 account.
- Select Azure Active Directory in the left navigation pane.
- Select
App registrations.
The App registrations page opens.
- Click the
New registration button to
register a new application.
The Register an application page opens.
- Fill out the registration information of application:
- Specify a
Name for the
application.
The authorization process shows this name when asking end users to grant permissions for the application to access their cloud resources, so it is advised to pick a meaningful name.
- Choose an account type under
Supported account
types.
While registering a Microsoft 365 Authorization provider in Token Vault, the Supported account type and Tenant name must be configured according to this application property.
- From the
Redirect URI (optional)
list choose
Web type and enter the
URI corresponding to your Token Vault configuration in the following format:
https://<FQDN>:<port>/callback
where:
-
FQDN is the fully qualified domain name of the Token Vault machine.
-
port is the value of the HTTPS Port setting configured on the Token Vault Server Settings page in case of https usage.
For example: https://tokenvaultmachine.testdomain.com:8381/callback.
This URI must be the same as the Redirect URI displayed by Token Vault on the Authorization Provider registration page.
-
- Specify a
Name for the
application.
- Click
Register.
The new application is created with the specified name and a generated Application (client) ID but the application does not have any certificate or secret yet.
- Copy the
Application (client) ID for
later use.
This is required for the creation of a new Microsoft 365 Authorization Provider in Token Vault.
- Select Certificates & secrets in the menu on the left.
- Click the New client secret button in the panel on the right to generate a new client secret for the application.
- Specify a Description and select the expiry option according to your policy requirements.
- Click the Add button.
- Copy the newly generated client secret value for later use.
This is another required application property for registering an Microsoft 365 Authorization Provider in Token Vault.
You can only copy the client secret at this point in the workflow. After you leave this page you are not able to retrieve it. If you leave this page without copying the client secret, you must repeat the corresponding steps above and create a new one.
Still in Microsoft Identity Platform (Azure Active Directory) admin center, set the permissions of the Microsoft 365 application depending on which eCopy ShareScan connectors and/or email inbox watchers you want to configure with Microsoft 365 and modern authentication. Add only those permissions that are required.
Use eCopy ShareScan Exchange Connector with Microsoft 365 and modern authentication:
To use eCopy ShareScan Exchange Connector, configure the permissions by doing the following:
- Select API permissions in the menu on the left and click Add a permission button on the API permissions page.
- Click the Microsoft Graph under the Commonly used Microsoft APIs group on the Request API permissions page. Microsoft Graph API is displayed on Request API Permissions page.
- Select Delegated permissions.
- Locate the EWS permission group and select the EWS.AccessAsUser.All check box.
- Click the Add permissions button to complete the permission configuration process.
Use eCopy ShareScan SharePoint Connector with Microsoft 365 and modern authentication:
To use eCopy ShareScan SharePoint Connector with Microsoft 365 and modern authentication, configure the permissions by doing the following:
- Select API permissions in the menu on the left and click Add a permission button on the API permissions page.
- Locate SharePoint under the Commonly used Microsoft APIs group on the Request API permissions page and click it. The SharePoint API is displayed on Request API Permissions page.
- Select Delegated permissions.
- Locate the AllSites permission group and select the AllSites.Write check box.
- Locate the MyFiles permission group and select the MyFiles.Write check box to allow the application to access OneDrive for Business resource.
- Locate TermStore permission group and select the TermStore.Read.All check box to allow the application to read data of managed metadata. This permission is required if Managed metadata columns are configured and used in your SharePoint Online tenant. For this permission admin consent is required.
- Click the
Add permissions button.
There might be a delay between permissions being configured and when they appear on the consent prompt.
- If you select TermStore.Read.All permission, and permissions are configured and appeared on the consent prompt, click on the Grant admin consent for… button to allow this app to read managed metadata.
-
The application now has permissions to access SharePoint Online resources.
If sensitivity labels are configured and used in your SharePoint Online tenant, and you want to use them in eCopy ShareScan SharePoint connector as well, additional permissions are required to be configured. Continue with step 10 to do it.
- On the API permissions page, click Add a permission button.
- On the
Select an API page, click
APIs my organization users.
In the search field, type Microsoft Information Protection Sync Service, and select it.
- Select Delegated permissions on the Request API Permissions page.
- Locate the UnifiedPolicy permission group and select the UnifiedPolicy.User.Read check box to allow the application to get user sensitivity labels, and set sensitivity label without protection settings on documents.
- Click the Add permissions button.
- Stay on the API permissions page, and click Add a permission button.
- Under the
Commonly used Microsoft APIs group on the
Request API permissions page, locate
Azure Rights Management Services, and select it.
The Azure Rights Management Services API is shown on Request API Permissions page.
- Select Delegated permissions.
- Locate the
Permissions permission group, and select the
user_impersonation check box to allow the application to apply
a user sensitivity label configured with protection settings on documents.
This permission is required if sensitivity labels with protection settings are configured and used in your SharePoint Online tenant.
Use eCopy ShareScan email inbox watcher via POP3 with Microsoft 365 email server and modern authentication:
To use eCopy ShareScan email inbox watcher via POP3 with Microsoft 365 email server and modern authentication, configure the permissions by doing the following:
- Select API permissions in the menu on the left and click Add a permission button on the API permissions page.
- Click the Microsoft Graph under the Commonly used Microsoft APIs group on the Request API permissions page. Microsoft Graph API is displayed on Request API Permissions page.
- Select Delegated permissions.
- Locate the POP permission group and select the POP.AccessAsUser.All check box.
- Click the Add permissions button.
Use eCopy ShareScan email inbox watcher via IMAP with Microsoft 365 email server and modern authentication:
To use eCopy ShareScan email inbox watcher via IMAP with Microsoft 365 email server and modern authentication, configure the permissions by doing the following:
- Select API permissions in the menu on the left and click Add a permission button on the API permissions page.
- Click the Microsoft Graph under the Commonly used Microsoft APIs group on the Request API permissions page. Microsoft Graph API is displayed on Request API Permissions page.
- Select Delegated permissions.
- Locate the IMAP permission group and select the IMAP.AccessAsUser.All check box.
- Click the Add permissions button.
Use eCopy ShareScan Notification service with Microsoft 365 SMTP server and modern authentication:
To use eCopy ShareScan Notification service with Microsoft 365 SMTP server and modern authentication, configure the permissions by doing the following:
- Select API permissions in the menu on the left, and click Add a permission button on the API permissions page.
- Click the Microsoft Graph under the Commonly used Microsoft APIs group on the Request API permissions page. Microsoft Graph API is displayed on Request API Permissions page.
- Select Delegated permissions.
- Locate the SMTP permission group and select the SMTP.Send check box.
- Click the Add permissions button.