Creating a Microsoft 365 Connector | 8.1.293.37300 and above

Creating a Microsoft 365 connector in Certero is split into four parts: obtaining your tenant name, creating an Azure App in your Azure portal, obtaining a Client ID and Client Secret, and then create the connector in Certero.

The connection to Microsoft is managed by the Microsoft GraphAPI utilising OAuth 2.0 Refresh Token Authentication. For more information on this please refer to https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service .

Within your Azure Portal

Obtaining the Tenant Name

1. Log into your portal by clicking here

2. In the portal home page search for Entra:

3. Click on the Microsoft Entra ID icon:

4. In the menu select the ‘Custom domain names’ option:

5. A list of available tenants will be shown. This is the value we will use in our connector for ‘ Tenant Name ’:

Creating an App Registration

1. You will need to register an App within the Azure portal, this will provide us with the Client Id and Client Secret values we need

2. Remaining within the Microsoft Entra ID, from the Manage menu, select the ‘App registrations’ option:

Click the 'New registration' button:

3. Give the application a meaningful name and select which account types are to be supported (by default Single-tenant will be selected):

4. Click the 'Register' button at the bottom of the form to register the application

Obtaining a Client ID from an App

Once your app is registered you will automatically be taken to the App registration screen. The top of this screen will show your Application (client) ID. This is the value we will use in our connector so make a note of it:

Creating a Client Secret

1. Navigate to the app that was created in the step above and from the menu select ‘Certificates & secrets’:

2. Click the ‘ New client secret ’ button.

3. Enter a description. Select when the secret should expire and click ‘ Add ’:

4. Your new client secret will be displayed.

Use the icon next to the value to copy the client secret to your clipboard and paste it into the client secret field in the Microsoft 365 dialog within the Certero platform.

Note: This is the only time that the client secret will be shown. Once you have navigated away from the page you will be unable to retrieve the value and will have to create a new secret. You will need to copy the Client Secret Value and not the Secret ID.  The Secret ID is not used.

Adding API Permissions

1. Navigate to the app created in the step above and click ‘ API permissions ’ from the menu:

2. Click the ‘ Add a permission ’ button:

5. Add the following permissions:

• Directory.Read.All

• Group.Read.All

• Reports.Read.All

• User.Read.All

6. You will also need to grant admin consent. Click the ‘Grant admin consent’ button and click 'Yes' when prompted.

7. The resulting permissions should look similar to what is shown below.

Creating the Certero Connector

Prerequisites

The Certero Endpoint being used for the Microsoft 365 connector must have:

• HTTPS access to the following URLs to establish the connection:

  • https://graph.microsoft.com

  • https://login.microsoftonline.com

• The Microsoft 365 Connector feature enabled beforehand, via the Administration > Endpoint Servers menu option.

Microsoft 365 Reports anonymization will need to be disabled. Since 1st September 2021, usage reports are anonymized:

"Reports found in the ‎Microsoft 365‎ admin center provide information about your organization’s usage data. Your organization's data is managed by trusted cloud security and privacy safeguards.
By default, reports display information with anonymized names for users, groups, and sites. If you prefer or if your organization’s policies require it, you can decide to display identified information.
This setting applies to usage reports in both the Microsoft 365 admin center and the Microsoft Teams admin center."

To disable this feature:

• Go to https://admin.microsoft.com/ and log in as a Microsoft 365 Global Administrator

• Click on Settings > Org Settings > Reports

• Ensure the box "In all reports, display de-identified names for users, groups and sites" is unticked.

Within Certero

1. Navigate to Connectors > Microsoft 365

2. Click the +New button

3. Under Tenant Name you need to input your Microsoft 365 tenant name. This will be for example: xxxxx.onmicrosoft.com

4. Select your desired Endpoint Server (If the Microsoft 365 Connector feature is not enabled on this Endpoint Server, it will just ignore the request and nothing will happen)

5. Under the Credentials section, enter your Client ID and Client Secret (Client Secret Value)

6. On the Schedule tab, fill in the required details. Note that:

• For the first 24 hours after creation of the connector, the recommended that the schedule be set to every one hour

• After 24 hours, the schedule can be amended to be, for example, every 24 hours, i.e., once a day

Click the Save button

The Microsoft 365 connector data should be imported at the scheduled time. If you do not want to wait for this process to begin, you can use the familiar Run Now option for the created connector to start the import.

Importantly, as with any connector in Certero, once it has been successfully created, please do not modify the user account permissions as doing so may cause the connector to only partially work, or not work at all.