Manually creating the Azure AD Application Registration required for API connection

Owned by Agat Support
Last updated: Mar 07, 2023
5 min read

Introduction


NOTE:

Do not use this process for MS Teams Channel Management. Use the app from here:
https://login.microsoftonline.com/common/adminconsent?client_id=52f9757b-7821-4378-9d28-523e7265fb2f

This app is only needed only for Compliance deployments that do not allow using multitenant apps (such as GCC / GCC HIGH )


Part of the SphereShield for Teams requires access to office tenant using Graph API. This is used mainly by the Adapter service.

As part of the installation process of the SphereShield Admin Portal, you need to supply connection values for accessing the office 365 tenant.

This is done by registering an application in Azure Active Directory 

After registering the app, you will enter the values in the first screen shown when you launch the SphereShield admin portal.

When the server is located on premises in the customer's network, it will also be necessary to create Public DNS records so that Microsoft Graph API can connect to the server where the CASB Service is installed.

Details

Creating the Web/API app

  1. Sign in to the Azure portal.
  2. At the top, you'll see a search box. Find App Registrations and click it



  3. Click on New Registration
  4. When the Create page appears, enter your application's registration information:
     - Name: Enter a meaningful application name 
     - Redirect URI: Web: "https://localhost"

  5. When finished, click Register

Creating a secret key: 

  1. Click on the application you've created.
  2. Click on Certificates & secrets in the side menu
  3. Click on New client secret
  4. Set a description and Expiration date. Click on Add
  5. Make sure to keep the value somewhere safe. It will not be accessible afterward:

    Adding the API Permissions

    1. Click the API permissions in the side menu

    2. Click the Add a permission button.

    3. Select Microsoft Graph and then Application Permissions

  6. Depending on deployment type, you will need to set relevant permissions as listed below:

    Deployment A: Proxy only deployment (app is needed only to control authentication to the portal):


Deployment B: In case of API or proxy and API deployment use the following: 


Don't forget to grant admin consent

Creating the Native Client app

Note: This part is needed for Channel Management, eDiscovery and IM notification for compliance deployments (Ethical wall and DLP).

  1. Sign in to the Azure portal.
  2. At the top, you'll see a search box. Find App Registrations and click it



  3. Click on New Registration


  4. When the Create page appears, enter your application's registration information:
     - Name: Enter a meaningful application name
     - Redirect URI:  Public client/native: "https://localhost"


  5. When finished, click Register

Adding the Delegated Permissions

  1. Click on API permission in the side menu
  2. Click the Add a permission button
  3. Select Microsoft Graph and then Delegated Permissions
  4. Make sure you have added all of these permissions:


  5. Don't forget to grant admin consent

Setting the Default Client Type

  1. Click on Authentication in the side menu
  2. Scroll down to the Advanced Settings section.  Set Treat application as a public client  to Yes
  3. Don't forget to click Save


Create a compliance administrator user that has access to all teams

  1. Create a new user in Office 365.
  2. Give the user a license that is valid for MS Teams

3. This user will have access to all teams. It should not be a member of any team before configuring SphereShield.

 

SphereShield Admin Portal sign-in process


After the SphereShield Admin Portal is set up, you'll need to follow these steps.


Reply URLs

       After Azure application is registered, the following additional configuration is needed to allow Microsoft sign in:

  • Add Admin Portal external URL to Redirect URIs (Azure Portal => Azure Active Directory => App registrations => select your app => Authentication).

  • And click on save



On first access to Admin Portal after fresh installation - user will be presented the following screen to set initial configuration:


In this page, enter the following details:

Azure AD Tenant: the domain in which the API should get data from.( I.E: agatsoftware.com)

Application ID: the ID of the Web app / API application created in the Azure Portal 

Application Secret: the key we created above

External URLThis value will be provided to you by AGAT

Note: External URL must be the same as saved in Redirect URLs in Azure Portal.

After filling in the above fields and pressing Save, the next screen is the Admin Portal sign in. For subsequent Admin Portal accesses, the sign in will start here:


After clicking on Sign in with Microsoft button - user will be redirected to Microsoft sign in:


If sign in succeeds the user enters the Admin Portal:


Configuring Admin Portal Integration Azure AD:

Configuring the Integration:

To allow the CASB Adapter service authentication to Graph API, you need to add credentials to the Access Portal under Settings -> Cloud service integration

Azure AD Tenant: the domain in which the API should get data from.

Application ID: the ID of the Web app / API application created in the Azure Portal 

Application Secret: the key we created above

Native Application ID: the ID of the Native application created in the Azure Portal 
Compliance Admin User: A user with access to Teams that will be added as an owner to each channel and Team.

Make sure that the user has at least a license for Teams and is not a member of any channel/team before configuring.

Enter your details in the fields below and click on "Save"

You can click on the " Test azure API connection " to see if your connection is valid 

Compliance Admin Password: the password of the Compliance Admin user. If the user has MFA, you should configure an App Password.