This guide outlines the process of data collection from an
Microsoft 365 source using one of the following tools:
- Intella Connect
- Intella Investigator
- Intella Professional
Throughout this document, we will refer to these as Intella. Specific steps unique to a particular tool will be highlighted accordingly.
This guide discusses configuring Azure for connecting to an Microsoft 365 with Intella. This document should be read along with the sections in the user manual for adding sources to an Intella case.
For more information about connecting to M365, there is a recorded webinar at the link below.
Please note that name has been changed from Office 365 to Microsoft 365.
Connect to Online Microsoft 365
The Microsoft 365 source type allows for retrieving both user account and user groups. For each user account used to access Microsoft 365, the source can retrieve data from Outlook, OneDrive, and SharePoint. For each user group, the source retrieves titled conversations containing emails.
For Outlook, the source retrieves all folders (both standard and user-defined) and all emails therein. For OneDrive, the source retrieves all folders and all files.
The Microsoft 365 source uses the Microsoft Graph API to connect to Microsoft 365 and retrieve its resources. There are two modes in which a connection for Microsoft 365 can be made: connection in user mode, and in application mode. Connection in user mode allows for the retrieval of that user’s resources only. Connection in application mode allows for the retrieval of the resources of selected or all users.
Depending on the connection type used, the Microsoft Graph service uses a different group of permissions and settings to control access to the Microsoft 365 resources. However, for both connection types, it is required to grant admin consent after assigning the permissions.
Before using Intella to index the Microsoft 365, you need to configure some settings in the Azure portal so that Intella can access the source. Intella can only access the resource if there are adequate permissions to access the account and content. Below are some common issues that have been reported to us. These issues are all related to the Azure portal where the setting and/or permissions have not being set correctly.
- You get an error (similar to below) when using the 'Connect to
Microsoft 365' option in Intella's Add new source wizard.
- The 'Connect to Microsoft 365' option in the Add new source wizard completes successfully, but you can not index any data from the account.
- You can connect to the account with no issues, and you can index data in the account with no issues, but Intella indexes other data associated with the account which should not be indexed.
- You are not able to authenticate due to “access token” or credential issues.
Note: Intella will be able to index a Microsoft 365 source provided that the login configurations (2FA when logging in through user mode), permissions are set correctly.
This is something that we cannot do, as we are not Azure administrators. You may need to consult your Azure administrator for more advanced configuration and permission settings to allow access to the Microsoft 365 source.
The guide below shows how to configure Azure to grant Intella access to Microsoft 365 either in user login mode or application login mode.
Please note that the guide below is a conservative measure to ensure that Intella has ample permissions to access basic aspects of an account, so that all data can be indexed. This guide provides the minimal set of permissions required to retrieve basic information. It is up to the user to set the correct permissions for the required access to the Microsoft 365 account within the Azure portal.
Note that Intella reads the data through the Microsoft Graph API. No write permissions are required, and Intella does this in read only mode.
Configure Azure to connect to an Microsoft 365 source
Step 1:
Go to https://portal.azure.com and log in using the Microsoft 365 admin credentials, then select the "Microsoft Entra ID" option.
Step 2:
Choose "App registrations" on the left-hand side.
Step 3:
Click "New registration" near the top of the page.
Step 4:
The "Register application" page will appear. Provide application name (the user-facing display name for the application). Then:
- For Supported account types, select "Accounts in this organizational directory only (Single tenant)" .
- For the Redirect URI, select "Single-page application (SPA)" and set its value to: http://localhost:38081/public/oauth/microsoft-oauth-callback.html
Note: Before early 2025, multi-tenant account types were supported. However, Microsoft has made changes such that only single tenant account types are supported here.
Step 5:
Step 5 option 1:
In the above screenshot (in "Step 5") choose the link marked with # 1, which points to "Credentials" page. It allows you to set up a client secret, and it is required to be configured only when you plan to have Intella collect the data via the application login method.
Choose the "New client secret" option.
Provide the secret description and expiration date and click "Add".
You'll be redirected to the "Certificates & secrets" page. Ensure that you copy the "Value" field to some safe location before navigating away from this page, since this will be the first and last time that you see it. By refreshing the page, or navigating away and returning, only the first three letters will be visible. So if the secret is lost, a new one has to be created.
Step 5 option 2:
Click the "Overview" tab at the top-left of the page to return to the app registration overview page. Then from the screenshot in "Step 5", choose link marked with # 2, which points to the "Redirect URIs" page. It allows you to complete the platform configuration. There are a couple of options to choose on this page.
During the earlier setup, a "Single page application" platform was created, which provides the "redirect URI" that is necessary for Intella's multi-user web-based products (e.g. Intella Connect and Intella Investigator).
So you may skip this additional platform creation if you don't plan to use "Intella Professional", but all other options are compulsory to be configured in this step.
For the additional "Platform" creation:
Click "Add Redirect URI".
Then from the configure platforms section, choose "Mobile and desktop applications".
On the next step of the wizard, select the option titled: "https://login.microsoftonline.com/common/oauth2/nativeclient"
Click "Configure" at the bottom of the window.
"Mobile and desktop applications" section should appear on page. Double-check that this is the case.
Step 5 option 3:
Finally, check if all required platforms are present, and verify the configuration by verifying the URIs.
Then click the "Settings" tab.
Under this tab:
- Check the checkbox for "Access tokens (used for implicit flows)".
- For "Allow public client flows", ensure this option is disabled.
- Ensure "Supported account types" is set to: "Accounts in this organizational directory only (Single tenant)".
Step 5 option 4:
Click on the "Overview" tab near the top left to return to the Overview.
Then click on the View API Permissions button, as indicated by the # 4 on picture shown in "Step 5".
By default, there is a User.Read privilege added for the Microsoft Graph API.
Click on the "Add a permission" button.
Then click the "Microsoft Graph" API option.
Microsoft graph allows you to define two different sets of permissions: "Delegated permissions" and "Application permissions".
"Delegated permissions" are used when Intella is logging in through user mode, and "Application permissions" are used when Intella is logging in through application mode.
So choose the appropriate option depending on whether Intella will be performing the login via user mode or application mode. Please remember that Intella only requires read permission access to the resources, and does not make any changes to the source.
Here is an example screenshot showing the "Delegated permissions" option selected, to show what the process of permission selection looks like. The view when selecting "Application permissions" will be the same. So regardless of which option you choose, you'll see something like the image below.
This view has a list of all possible permissions that you can grant to Intella.
There is a minimal set of permissions required to be granted in order to do some basic processing. Intella requires read access to Organization info, group, and user list:
- Group.Read.All
- Organization.Read.All
- User.Read.All
Here is an example of the minimal set of delegated permissions added that is required when logging in via user mode:
And here is an example of an extended set of delegated permissions used for processing of the Microsoft 365 data source in user mode.
Here is the minimal set of application permissions required when logging in via application mode:
Here is an example of an extended set of delegated permissions used for processing of the Microsoft 365 data source in application mode:
After finishing, click the "Add permissions" button which appears at the bottom of the screen.
You will be transferred back to "API permissions" page.
At that point, click "Grant admin consent for <user>" option to activate the change in permissions.
NOTES:
- Sometimes it takes some time for the permissions to take effect.
- The login process is handled completely by Microsoft. So in the case of login problems, consult your Azure administrator and check the Azure sign-in logs.
This finalizes the configuration of the Microsoft 365 collection.
Step 6:
Now that you have configured access to a Microsoft 365 account, you can use the Add new wizard, with the 'Microsoft 365' option in Intella to index the Microsoft 365 data.
This includes SharePoint Microsoft 365 resources as well.
Click "Next" in order to start process.
Step 7
There are two login scenarios:
1. Login via user mode.
2. Login via application mode.
Both options are presented below. Please follow the steps outlined in the login method you wish to follow.
Connecting to Microsoft 365 in user mode
First, ensure the "Application login" checkbox is unchecked to login via user mode.
In order to login in user mode, you will need to enter the following data:
1. User name of the user to log in as (and password, and possibly 2FA code if it is set up).
2. Application (client) ID.
3. Tenant (directory) ID.
The latter two can be found in the Overview of the Azure app registration.
Once the form has been filled, click the "Connect to Microsoft 365" button.
You will be redirected to a Microsoft 365 page to perform authentication.
First provide the username or email.
Then the user's password.
Then the Microsoft authentication code if applicable, which might come in form of email, SMS, or from the Microsoft Authenticator app, depending on the configuration. Please refer to your Azure administrator if there is any confusion.
Once the user is verified, then Intella will present you with basic account information.
Connecting to Microsoft 365 in application mode
First, check the "Application login" checkbox.
Then provide the following login data:
1. Application (client) ID
2. Tenant (directory) ID
3. Client secret
The first two can be found in the Overview of the Azure app registration.
The client secret was the value you needed to record and keep in Step 5, option 1.
When ready, click the "Connect to Microsoft 365" button, then Intella will present you with basic account information.
This concludes the guide on collecting from Microsoft 365 with Intella.
Other notes:
- As of this writing, the listed permissions and components allow access to One Drive, Mail, and SharePoint. Note that in the future, Microsoft may make changes to the settings and the look or layout of the Azure portal may change. This means that our screenshots in this document may look different, or there could be more (or less) permission shown in Azure.
- If you have followed this guide and your still have issues accessing the
Microsoft 365 or SharePoint data, then there may be a few reasons for this.
1) You may have some special account settings that you may be unaware of. You should first consult with your internal Azure manager. Then contact Microsoft support if you can not resolve the issue.
2) Microsoft may have made some changes where the listed permission no longer work. Contact Microsoft support if you aren't able to resolve the issue.