This guide outlines the process of data collection from an Office 365 source using one of the following tools:
- Intella Connect
- Intella Investigator
- Intella Professional
Throughout this document, we will refer to these as Intella. Specific steps unique to a particular tool will be highlighted accordingly.
This guide discusses configuring Azure for connecting to an Office 365 with Intella. This document should be read along with the sections in the user manual for adding sources to an Intella case.
For more information about connecting to O365, there is a webinar here.
Connect to Online Office 365
The Office 365 source type allows for retrieving both user account and user groups. For each user account used to access Office 365, the source can retrieve data from Outlook, OneDrive, and SharePoint. For each user group, the source retrieves titled conversations containing emails.
For Outlook, the source retrieves all folders (both standard and user-defined) and all emails therein. For OneDrive, the source retrieves all folders and all files.
The Office 365 source uses the Microsoft Graph API to connect to Office 365 and retrieve its resources. There are two modes in which a connection for Office 365 can be made: connection in user mode, and in application mode. Connection in user mode allows for the retrieval of that user’s resources only. Connection in application mode allows for the retrieval of the resources of selected or all users.
Depending on the connection type used, the Microsoft Graph service uses a different group of permissions and settings to control access to the Office 365 resources. However, for both connection types, it is required to grant admin consent after assigning the permissions.
Before using Intella to index the Office 365, you need to configure settings in the Azure portal so that Intella can access the source. Intella can only access the resource if there are adequate permissions to access the account and content. Below are some issues that have been reported to us. These issues are all related to the Azure portal where the setting and/or permissions have not being set correctly.
- You get an error (similar to below) when using the 'Connect to Office 365' option in Intella's Add new source wizard.
- The 'Connect to Office 365' option in the Add new source wizard completes successfully, but you can not index any data from the account.
- You can connect to the account with no issues, and you can index data in the account with no issues, but Intella indexes other data associated with the account which should not be indexed.
- You are not able to authenticate due to “access token” or credential issues.
Note: Intella will be able to index an Office 365 source provided that the login configurations (2FA when login in user mode), permissions are set correctly.
This is something that we can not do as we are not Azure administrators. You may need to consult your Azure administrator for more advanced configuration and permission settings to allow access to the Office 365 source.
The guide below show how to configure Azure to grant Intella access to Office 365 either in user or application login mode.
Please note that the guide below is a conservative measure to ensure that Intella has ample permissions to access basic aspects of aa account, so that all data can be indexed. This guide have minimal set of permissions required to retrieve basic information. It is up to the user to set the correct permissions for the required access to the Office 365 account within the Azure portal.
Note that Intella reads the data through the Microsoft Graph API. No write permissions are required, and Intella does this in read only mode.
Configure Azure to connect to an Office 365 source
Step 1:
Go to https://portal.azure.com and login using the Office 365 admin credentials.
Choose "Microsoft Entra ID" option
Step 2:
Choose "App registrations"
Step 3:
Press "New registration"
Step 4:
The "Register application" page will appear. Provide application name as well as choose options marked in boxes. Please ensure that Redirect URI of SPA (single page application) option is set to: "http://localhost:38081/public/oauth/microsoft-oauth-callback.html"
Step 5:
Step 5 option 1:
On screenshot "Step 4" choose link marked with 1 , which points to "Credentials" page. It allows to set up client secret , and it is required to be configured only when you plan to connect as "application"
Choose "New client secret" option
Provide secret description and expiration date and press "Add"
You'll be redirected to "Certificates & secrets" page. Please copy secret value to some safe location, since it is first and last time you see it. Refreshing the page, only first three letters will be visible. So in case of loosing secret , new one has to be created.
Step 5 option 2:
On screenshot "Step 4" choose link marked with 2 , which points to "redirect uris" page. It allows to complete platform configuration. There is couple of option to be chosen on this page.
During initial setup, "Single page application" platform was created, which provides "redirect URI" necessary for Intella web based products ("Intella Connect", "Intella Investigator" ).
So you may skip additional platform creation if you don't plan to use "Intella Professional", but all other options are compulsory to be configured in this step.
Additional "Platform" creation
choose add platform
From configure platforms section choose "Mobile and desktop application"
Choose redirect URI, marked on picture below , which is "https://login.microsoftonline.com/common/oauth2/nativeclient"
Press configure.
"Mobile and desktop applications" section should appear on page. please verify content of the section against picture below
Step 5 option 3:
Final configuration and verification.
Please check if all required platforms are present , and verify configuration (verify URIs).
Additionally check the checkbox "Access tokens (used for implicit flows)" and change supported account types , to :
"Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)". Also choose no for "Allow public client flows" in advanced setting s section. For simplicity following picture has all essential settings marked to compare your settings against.
Step 5 option 4:
Click on the View API Permissions button, as indicated by the number 4 on picture shown in "Step 4" section.
by default there is a User.Read privilege added for the Microsoft Graph API.
Click on the Microsoft Graph option. You will be redirected to API permission page.
Choose add permission. Permission panel should appear, choose "Microsoft Graph" API
Microsoft graph allows to define 2 sets of permissions , "Delegated permission" , and "Application permissions"
"Delegated permissions" are used when login in user mode, "Application permissions" are used when you login in application mode.
So choose appropriate permission type. Please remember that "Intella" requires only read permission access to the resources , and does not make any changes to the source.
Here you are the sample screen showing process of selecting "Delegated permissions". It is shown just to visualize how the process of permission selecting screen looks like. The process of selecting "Application permissions" looks the same so skipping the screenshot.
After finishing, please use "Add permissions" button which appear at the bottom of the screen. You will be transferred back to "APO permissions" page. So please choose "Gran admin consent" option to activate permissions change
There are minimal set of permissions required to be granted in order to do some basic processing. Intella requires read access to Organization info , group and user list.
Minimal set of delegated permissions ( required when login in user mode)
Sample of extended set of delegated permissions used for processing of the office 365 data source in user mode
Minimal set of application permissions ( required when login in application mode)
Sample of extended set of delegated permissions used for processing of the office 365 data source in application mode
NOTE : Sometime it takes some time for permissions t populate through Microsoft cloud.
NOTE_1 : Login process is handled completely by Microsoft. so in case of login problems please consult your Azure administrator and check azure sign in logs.
This finalizes the configuration of the office 365 Graph
Step 6:
Now that you have configured access to a Office 365 account, you can use the Add new wizard, with the 'Office 365' option, in Intella to index the Office 365 data.
It includes SharePoint office 365 resources as well.
Press next in order to start process.
Step 7
There are 2 login scenarios .
1. login in user mode
2 login in application mode
Connecting to Microsoft 365 in user mode
Ensure "Application login" checkbox is unchecked to login in user mode
In order to login in user mode, please prepare following data
1. Application Id
2. user credentials
Please fill in form and press "Connect to Microsoft 365" button
You will be redirected to Microsoft "Office 365 authentication" page to perform 2FA authentication flow.
So provide User name or email
password
and Microsoft authentication code, which might come in form of mail, SMS or from Microsoft authenticator , depending on configuration. Please refer to your azure administrator to configure it
Upon completion screen, with basic account information should appear
Connecting to Microsoft 365 in application mode
Please check "Application login checkbox provide following login data:
1. Tennant id
2. Application id
3. Client secret
and press "Connect to Microsoft 365" button
Tennant id and Application Id, may be obtained from application registration min page (see picture provided for step 4)
Upon completion screen, with basic account information should appear
Other notes:
- As of this writing, the listed permissions and components allow access to One Drive, Mail, and SharePoint. Note that in the future, Microsoft may make changes to the settings and the look or layout of the Azure portal may change. This means that our screenshots in this document may look different, or there could be more (or less) permission shown in Azure.
- If you have followed this guide and your still have issues accessing the Office 365 or SharePoint data, then there may be a few reasons for this.
1) You may have some special account settings that you may be unaware of. You should first consult with your internal Azure manager. Then contact Microsoft support if you can not resolve the issue.
2) Microsoft may have made some changes where the listed permission no longer work. You should contact Microsoft support if you can not resolve the issue