If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
The goal of this guide is to show you how to add an Azure AD application that could be used by the SkyFormation's Office 365 Cloud App Connector in your SkyFormation Platform.
You could use one of the following two processes to create the needed Azure AD application:
- Automated process (PowerShell based)
This option is based on a PowerShell script provided by SkyFormation that would automatically
create the needed Azure AD application in your Office Azure AD with its needed permissions.
- Manual process
The entire app creation process is based on manual steps done by the Azure AD administrator.
Automated Process Steps
1. Download the PowerShell script attached in this post.
2. Review the PowerShell content before executing and make sure the script procedure is
understood and accepted by your Office 365 admin.
3 Run the PowerShell script in a PowerShell shell.
4 Commit the permissions added to the new Azure AD app added
- Log into your Azure account (https://portal.azure.com).
- Open: "Azure Active Directory" service page
- Open: "App registrations" and press "View all application"
- Open: "SkyFormationApp4OfficeConnector" app page
- Press on the "Settings" button
- Open: "Required permissions" page
- In the "Required Permissions" click on the "Grant Permissions" button. and press "Yes"
If the entire permissions added and granted correctly you should see a screen says:
Azure AD app creation is DONE.
You can now skip to:
"(Optional) Getting the Exchange message trace and reports" section below.
Manual Process steps
1. Log into your Azure account (https://portal.azure.com).
NOTE: Ensure you use the O365 part of Azure (not the Azure top level) as they look the same
and have the same options, but O365 part should start with: aad.azure.com
2. Open Azure Active Directory
3. Navigate to Properties , keep aside the value of Directory ID , a.k.a Tenant ID
4. Navigate to App registrations , create a new app by clicking + New application registration
5. Fill application details: Name: SkyFormationApp; type: Web app/API; Sign-on URL: https://www.skyformation.com
6. Click to select the newly created application
7. Keep aside the value of Application ID, a.k.a Client ID
8. Create a Key (a.k.a Secret) by navigating to Keys, insert a name for the key, and select duration of Never expires , click Save (only than will the key/secret be generated)
9. Keep aside the generated key (a.k.a Secret)
10. Add permissions for the application by navigating to Required permissions link in the
app page
10.1 Adding permissions in each API page
In the Required Permissions page
- Click Add
- Click Select an API you need to add the app permissions to according to
the below table. (e.g. Microsoft Graph API)
- Check the needed permissions to the API according to the below table
(e.g. In the Application permissions check the "read all users full profiles" permission)
- Repeat this for each permission needed in the API page
- Click "Select"
- Click "Done"
You should now see in the "Required permissions" table the just added permissions to
the specific API you added permissions to.
Repeat the above step in section 10.1 for each API you need to add permissions to
according to the table below.
NOTE: Do not click the Select All checkbox. Azure has a UI glitch where this button
does not really check the permissions (only checks them visually)
API Permissions needed table:
| API name | Category (Application/Delegated) | Permissions needed |
| Windows Azure Active Directory | Application | Read directory data |
| Microsoft Graph | Application | Read all groups |
| Application | Read all users' full profiles | |
| Application | Read all identity risk event information | |
| Office 365 Management APIs | Application | Read activity reports for your organization |
| Application | Read threat intelligence data for your organization | |
| Application | Read activity reports for your organization | |
| Application | Read threat intelligence data for your organization | |
| Application | Read DLP policy events including detected sensitive data | |
| Application | Read activity data for your organization | |
| Application | Read service health information for your organization |
10.2 Commit the permissions added in each API
In the "Required Permissions" page once the entire permissions above added
Click on the "Grant Permissions" button.
If the entire permissions added and granted correctly you should see a screen says:
*sk4Appv22 will present with the name you gave the SkyFormation Azure app.
(Optional) Getting the Exchange message trace and reports
In order to retrieve Exchange Reports data - Message Trace, DLP, Malware, Spam, SpoofMail, UrlTrace, a username & password of a user permitted to read those reports is required.
See this link for what permissions each report type requires -
https://technet.microsoft.com/en-us/library/jj200673(v=exchg.160).aspx
In order to enable mailbox logging (MessageTrace), it needs to be enabled by the Office (Exchange) administrator for the users who's mailbox you want to monitor. See this guide on how to configure it - https://support.office.com/en-us/article/Enable-mailbox-auditing-in-Office-365-aaca8987-5b62-458b-9882-c28476a66918
(Optional) Getting the Exposed Resources Report
In order to retrieve the exposed files report from Office 365 (OneDrive and Sharepoint), follow these steps:
- Generate an X.509 asymmetric key by typing the following command in your terminal:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem2 files will be created in the directory where you ran the command:- certificate.pem , which is the certificate or public key,
- key.pem, which is the private key.
Remember where these files are located as we will need them in the next steps.-
Grant additional permissions to your azure AD application by navigating to Required permissions link in the app page. You will need to add more permissions to the Office 365 Management API and add permissions to the Office 365 Sharepoint Online API, according to the following table (refer to step 10 above for detailed instruction for adding permissions):
API name Category (Application/Delegated) Permissions needed Office 365 Management APIs Delegated Read DLP policy events including detected sensitive data Office 365 Sharepoint online Application Read items in all site collections Delegated Run search queries as a user
Microsoft Graph Application Read items in all site collections
-
- Upload the X.509 key to the application:
3.1 Navigate to Keys, click on Upload Public Key and upload the public key (certificate.pem) which you created in step 1. Click on Save.
Note: the certificate.pem and key.pem files you created on step 1 are also required when using the OpenApi and/or when adding/configuring the Office365 connector from Skyformation UI.
Your are done !
Next Steps
Now you are ready to add a SkyFormation Office365 Connector to your SkyFormation Platform.
Please make sure you keep your:
- client ID of your new created Office365 app
- Your tenant ID and generated secret ID
Go to: How to: Add SkyFormation Office365 Connector to SkyFormation Platform
Comments
0 comments
Please sign in to leave a comment.