Articles in this section

See more

Create Azure AD Application for the SkyFormation Office 365 Connector

Avatar
Nadav Lavy
  • Updated
Follow

If you're having trouble at any stage please contact us at support@skyformation.com

Preface

The goal of this guide is to show you how to add an Azure AD application that could be used by the SkyFormation's Office 365 Cloud App Connector in your SkyFormation Platform.

 

Process steps

1. Log into your Azure account (https://portal.azure.com).

    NOTE: Ensure you use the O365 part of Azure (not the Azure top level) as they look the same 
              and have the same options, but O365 part should start with: aad.azure.com

2. Open Azure Active Directory

azuremanualgeneral.PNG

3. Navigate to Properties, keep aside the value of Directory ID, a.k.a Tenant ID

azureproperties.PNG

4. Navigate to App registrations, create a new app by clicking + New registration

NewRegistration.PNG 

5. Fill application details:
    Name: SkyFormationApp;
    Supported account types: Choose "Accounts int this organizational directory only([Your organization ID])" 

registerapp.PNG

6. Click "Register"

7. From the page of the just created app keep aside the value of Application ID, a.k.a Client ID

applicationid.PNG

8. Navigate to  Certificates & secrets  from the just created app page

key.PNG

9. Starting from release 2.4.108, two authentication methods are available:
     1) oauth2
     2) certificate

Choose one of the above:

9a. For oauth2  create a Key (a.k.a Secret), insert a name for the key, and select Expiration of Never, click Add (only then will the key/secret be generated)

 keyneverexpires.PNG

 

10a. Copy the new client secret value(a.k.a Secret). You won't be able to retrieve it after you leave this blade. 

 Continue to step 11.


9b. For certificate, you need to attach a certificate to the app. 

First, create a certificate + private key.

If you already have a certificate and private key that you want to attach to skyformation app, continue to step 10b.

If you don't have the certificate + private key files, you can generate it as follows:

Generate an X.509 asymmetric key by typing the following command in your terminal:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem

2 files will be created in the directory where you ran the command:

  • certificate.pem , which is the certificate or public key,
  • key.pem, which is the private key. 

Remember where these files are located as we will need them in the next steps.

10b. Click on "upload certificate":mceclip0.pngmceclip3.png Browse for your certificate file and upload it to the app. 

 Continue to step 11.

11. Add permissions for the application by navigating to API Permissions link in the app page

12. In the  API Permissions:
      - Click Add a permission
      - Click Select an API you need to add the app permissions to according to the below table.
        (e.g. Microsoft Graph API)
      - Check the needed permissions to the API according to the below table 
        (e.g. In the Application permissions check the "read all users full profiles" permission)
      - Repeat this for each permission needed in the API page  
      - Click "Add permissions"

        You should now see in the "Request API permissions" table the just added permissions to
       the specific API you added permissions to.

      Repeat the above step in section 12 for each API you need to add permissions to
      according to the table below.

 

        API Permissions needed table:

mceclip0.png

 

*Note*: if you are an existing customer and still using the previous endpoints (Deprecated - signins-events, and Deprecated - audit-events which are using the Azure AD Graph API), it is highly recommended to stop these endpoints and grant the permissions above to use the new Microsoft Graph API endpoints. If from any reason you are unable to do so, then you need to add one more permission which is DirectoryReadAll under Azure Active Directory Graph API.

 

13. Click Grant admin consent in the bottom of the page to really save all the permissions added above

 concent.PNG

Make sure you see a message that verifies the permissions were successfully granted

successfully_granted.PNG

 

(Optional) Getting the Exchange message trace and reports

In order to retrieve Exchange Reports data - Message Trace, DLP, Malware, Spam, SpoofMail, UrlTrace, a username & password of a user permitted to read those reports is required. 

See this link for what permissions each report type requires - 
https://technet.microsoft.com/en-us/library/jj200673(v=exchg.160).aspx

In order to enable mailbox logging (MessageTrace), it needs to be enabled by the Office (Exchange) administrator for the users who's mailbox you want to monitor. See this guide on how to configure it - https://support.office.com/en-us/article/Enable-mailbox-auditing-in-Office-365-aaca8987-5b62-458b-9882-c28476a66918

 

 

Your are done !

Next Steps

Now you are ready to add a SkyFormation Office365 Connector to your SkyFormation Platform.

Please make sure you keep your:
- client ID of your new created Office365 app
- Your tenant ID and generated secret ID

Go to: How to: Add SkyFormation Office365 Connector to SkyFormation Platform 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.