Creating a Microsoft 365 Connector | 6.1 to 8.1.171.37250

Last updated 14 October, 20256 min read

Creating a Microsoft 365 Connector | 6.1 to 8.1.171.37250

Managing API client access to Microsoft 365

The Certero connector for Microsoft 365 uses the Microsoft Graph APIs to connect to and retrieve data from Microsoft 365. The APIs use industry-standard OAuth 2.0 protocols for authentication and authorization.

For more information on what OAuth is and how this flow works between an endpoint server and Microsoft, please see the following link:

Microsoft Identity Platform and OAuth 2.0

In the Certero Microsoft 365 connector there is the option of two types of permission that can be used to access the Microsoft 365 data:

Application Permissions:
Application permissions are consented to by an administrator and allow read-only access to all objects in the customer's tenant.
Delegated Permissions:
Delegated permissions inherit the permissions of the consenting user and are used to return a subset of objects from your tenant. The administrator limits the user’s permissions and therefore limits the data Certero can access. Used when multiple businesses are linked to the same Microsoft 365 account.

For more information on Delegated and Application permissions click here .

In order to create a connector for Microsoft 365 in the Certero, there are a number of details you will need to enter. These are:

Tenant Name
Client Id
Client Secret
Token

The aim of this document is to show the user how to create these values in their own instance and use them in the Certero Microsoft 365 connector to pull data into the platform.

Tennant Name in Azure Portal

1. Log into your portal by clicking here .

2. In the portal home page search for Azure Active Directory:

3. Click on Azure Active Directory link:

4. In the menu select the ‘Custom domain names’ option:

5. A list of available tenants will be shown. This is the value we will use in our connector for ‘ Tenant Name ’:

Registering an App in the Azure portal

1. We will need to register an App within the Azure portal; this will provide us with the Client Id and Client Secret values we need.

2. Remaining within the Azure Active Directory, from the Manage menu, select the ‘ App registrations ’ option:

3. Click the ‘ New registration ’ button:

4. Give the application a meaningful name and select which account types are to be supported (by default Single-tenant will be selected):

5. Under the Redirect URI heading ensure that ‘ Web ’ is selected from the drop-down and enter the following value in the provided text box.

https://cc.certero.com/cmp/AuthorizeOffice365Connector

6. Click the Register button at the bottom of the form to register the application.

Obtaining a Client ID from an App

1. Once your app is registered you will automatically be taken to the App registration screen. The top of this screen will show your Application (client) ID. This is the value we will use in our connector so make a note of it:

Note: You can navigate to the App at any time by clicking on the App registrations button from the menu blade or searching for App registrations in the main search bar. Clicking on the App name will open the overview.

Creating a Client Secret for an App

1. Navigate to the app that was created in the steps above (App Registrations) and click on it to open the properties. Select ‘ Certificates & secrets ’ menu option.

2. Click the ‘ New client secret ’ button.

3. Enter a description. Select when the secret should expire and click ‘ Add ’:

4. Your new client secret will be displayed.
Make a note or store the client secret value, it is required in the Certero connector.

Note: This is the only time that the client secret will be shown to the user , once you have navigated away from the page you will be unable to retrieve the value and will have to revoke and create a new secret:

Adding API permissions

1. Navigate to the app created in the step above and click ‘ API permissions ’ from the menu:

2. Click the ‘ Add a permission ’ button:

3. Select ‘Microsoft Graph’

4. Select either Delegated permissions or Application Permissions :

5. Add the following permissions:

API/Permission Name	Description
Directory.Read.All	Read directory data
Group.Read.All	Read all groups
Reports.Read.All	Read all usage reports
User.Read.All	Read all users’ full profiles

6. Once the required permissions have been selected, click the Add permissions button:

7. Note: Permissions may require admin consent:

8. On the API permissions screen click the ‘ Grant admin consent ’ button:

Note: You will need to be logged in as either:

A Global administrator
A Cloud Application Administrator
An Application Administrator

9. Disable Office 365 Reports anonymization.

Since 1st September 2021 usage reports are anonymized:

"Reports found in the ‎Microsoft 365‎ admin center provide information about your organization’s usage data. Your organization's data is managed by trusted cloud security and privacy safeguards.
By default, reports display information with anonymized names for users, groups, and sites. If you prefer or if your organization’s policies require it, you can decide to display identified information.
This setting applies to usage reports in both the Microsoft 365 admin center and the Microsoft Teams admin center."

You will need to disable this feature to gather usage information:

Go to https://admin.microsoft.com/ and log in as an Microsoft 365 Global Administrator
Click on Settings > Org Settings > Reports
Ensure the box "In all reports, display de-identified names for users, groups and sites" is unticked.