Graph API Connection for Azure AD - Akumina Community

Graph API Connection for Azure AD

You are here:
Estimated reading time: 3 min

The purpose of this document is to provide the steps necessary to configure a connection from the Digital Workplace to the O365 Graph API which is used to enable the People Directory, Akumina Workspaces, and Company Calendar (O365 shared calendar).  This document will describe how to create the Azure AD application that provides the required connection and authentication.

The qualified user to be able to perform the functions below needs to be an Azure Active Directory tenant administrator.

See article https://azure.microsoft.com/en-us/documentation/articles/active-directory-administer/

This document applies to installations of the Graph API connection to support Digital Workplaces running AppManager and Akumina Framework versions 4.0 and higher.

 

Creating the AzureAD Application

Access the Admin Console in your Office 365 tenant.

Under Admin Centers, select Azure AD.  If you do not see this option, you must first sign up for the Azure AD Management console (see Azure AD Requirements section).

On the left nav, click on the Azure Active Directory.  Then click on App registrations in the right pane.

Select “New Registration”

Enter a name for the Graph App and then click on register.

Configuring the New Application for 4.x

Once the app is created, click on the “Branding” tab.

Set the home page URL and click save.

{AppManagerURL}/oauth2/signin  (note that /oauth2/signin must be lower case)

Example:

https://akqat2.onakumina.com/oauth2/signin

 

Click on “Authentication” and enter the Redirect URI.  The Redirect URI is the {AppManagerURL}/oauth2/acs (note that /oauth2/acs must be lowercase).

Understanding API permissions

For further understanding of “permissions and consent in the Azure Active directory v1.0 endpoint,” please see Microsoft’s documentation:

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-permissions-and-consent

When the AppManager makes a call to the APIs, these calls are made using the identity of the current logged in user that is initiating the request (via the AppManager).

Setting Required API Permissions for AAD App

Setting the API permissions for the AAD App is important because this controls which services within O365 that the app will be able to access. There are four APIs we must request permissions from.

  • Microsoft Graph
  • SharePoint
  • Azure Active Directory Graph (supported legacy API – in the future this will not be required)

Microsoft Graph – DELEGATED Permissions

Click on “API permissions,” “Microsoft Graph” will appear click on “Microsoft Graph,” the interface will display the “Delegated Permissions” by default.

Expand the following Categories and Check the box for the following permissions:

Please note the purpose of the permissions as it is selected to understand the purpose of the selection.

DELEGATED Permissions for “Microsoft Graph”

Category – Expand

Permission Name

Feature/Purpose

Calendar Calendars.Read (My Events | Company Calendar)
Directory Directory.AccessAsUser.All (People Sync/People Directory)
Group Group.Read.All (Workspaces)
Group Group.ReadWrite.All (Workspaces)
MailboxSettings MailboxSettings.ReadWrite (Company Calendar)
Tasks Tasks.Read (Workspaces)
User User.Read.All (People Sync/People Directory)

Click on “Update permissions”

Microsoft Graph – APPLICATION Permissions

Click on “Microsoft Graph” and “Application Permissions”

Check each of the “Permission Name” as required for your site.

APPLICATION Permissions for “Microsoft Graph”

Category – Expand

Permission Name

Feature/Purpose

Group Group.ReadWrite.All (Workspaces)

Click on “Update permissions.”

SharePoint – DELEGATED Permissions

To add permissions to SharePoint, click on the “API permissions” click on “Add a Permissions.”

From the “Request API Permission” scroll and select “SharePoint.”

Click on “Delegated permissions” and expand the categories and check the permissions below:

Delegated Permissions for “SharePoint”

Category – Expand

Permission Name

Feature/Purpose

AllSites AllSites.FullControl Allows the app to have full control of all site collections on behalf of the signed-in user.
MyFiles MyFiles.Read Allows the App to read current user’s files
MyFiles MyFiles.Write Allows the App to read, create, update and delete the current user’s files
Sites Site.Search.All Allows the app to run search queries and to read basic site info on behalf of the current signed-in user. Search results are based on the user’s permissions instead of the app’s permissions.
TermStore TermStore.Read.All Allows the app to read, create, update, and delete managed metadata and to read basic site info on behalf of the signed-in user.
User User.ReadWrite.All Allows the app to read and update user profiles and to read basic site info on behalf of the signed-in user.

Azure Active Directory Graph – APPLICATION Permissions

To add permissions to Azure Active Directory, click on the “API permissions” click on “Add a Permissions.”

From the “Request API Permission” scroll to the bottom (found under Supported legacy API) and select “Azure Active Directory Graph.”  Please note in the future this API permission will not be required.

Select the “Application Permissions”, and expand category “Directory”

APPLICATION Permissions for “Azure Active Directory Graph”

Category – Expand

Permission Name

Feature/Purpose

Directory Directory.Read.All (People Sync/People Directory)

Granting admin consent for the API permissions

After all permissions have been selected, the “Azure Active Directory Tenant Administrator” needs click on the “Grant admin consent for the API permissions” button and then the YES button.

 

Please verify the success message has been displayed else permissions will not have been granted.

If you selected all of the permission above you API permissions list should look like:

Was this article helpful?
Dislike 0
Views: 598
//]]>