Manual Microsoft 365 tenant configuration

If the automatic configuration was not successful due to permission issues, the tenant must configured manually. To do that, select Click here to configure with an already existing Azure AD application. Please note that you can also opt to configure manually and skip the automatic configuration altogether with the option provided.

Prerequisite: A service user account with at least View-Only Organization Management, View-Only Audit Logs, and Service Administrator permissions. Click here to learn how to create a Microsoft 365 service account.

Manual tenant configuration involves the following three steps:

1. Create an Entra ID application
2. Configure the Entra ID application in M365 Manager Plus
3. Configure a service account in M365 Manager Plus

Steps to create an Entra ID application

1. Log in to the Microsoft Entra ID admin center using the credentials of a Global Administrator or any other user account with the permission to create Entra ID applications.
2. Navigate to Identity > Applications > App registration.
3. Click New registration.
4. Provide a Name for the M365 Manager Plus application to be created.
5. Select a supported account type based on your organizational needs.
6. Leave Redirect URI (optional) blank; you will configure it in the next few steps.
7. Click Register to complete the initial app registration.
8. You will now see the Overview page of the registered application.
9. Navigate to Authentication in the side pane..
10. Click Add a platform under Platform configurations.
11. In the Configure platforms pop-up, under Web applications, click Web.
12. In the Redirect URI field, enter the following links . You can enter only one link at a time. After you enter a link, click Configure and repeat the steps until all of the links are configured.
    • http://localhost:<port_number>/webclient/VerifyUser.
    • http://localhost:<port_number>/webclient/grantacces
    • http://localhost:<port_number>/AADAppGrantSuccess.do
    • http:/<localhost:<port_number>/AADAuthCode.do
    • https://identitymanager.manageengine.com/api/public/v1/oauth/redirect
    • https://demo.m365managerplus.com/oauth/redirect
    • https://manageengine.com/microsoft-365-management-reporting/redirect.html where <port_number> refers to the port used by M365 Manager Plus.
    Note:

    • The machine name or IP address can be used in place of <localhost> if the product is configured to use HTTPS. You can configure it by referring to the steps mentioned here. Open Command Prompt and enter ipconfig to find your machine's IP address.
    • Please note that for users with M365 Manger Plus build 4409 and above, Redirect URIs f and g are optional.
13. You can leave the Logout URL and Implicit grant fields empty. Click Save.

    

14. Click Save.
15. Click Manifest from the left pane.
16. Look for requiredResourceAccess array in the code.

    Copy the entire contents from this file and paste into the section highlighted in the image below. If you want to modify the permissions, skip this step and follow the steps mentioned in this section.

    Application scopes mentioned in the file

    Microsoft Graph scopes

    • Application.ReadWrite.All
    • Directory.ReadWrite.All
    • Mail.ReadWrite
    • Sites.ReadWrite.All
    • Reports.Read.All
    • AuditLog.Read.All
    • User.ReadWrite.All
    • RoleManagement.ReadWrite.Directory
    • ServiceHealth.Read.All
    • Policy.Read.All
    • Calendars.Read
    • AdministrativeUnit.ReadWrite.All
    • ChannelMember.Read.All (not available in Chinese tenant)
    • Group.ReadWrite.All

    Office 365 management API scopes

    • ActivityFeed.Read
    • ActivityFeed.ReadDlp

    Office 365 Exchange Online

    • full_access_as_app

    SharePoint Online API scopes

    • Sites.Read.All
    • Sites.FullControl.All

    Learn more about minimum scopes.

    Note:

    • If your tenant is being created in Azure China, copy the entire contents from this file and paste them into the section highlighted in the image below.

    

    Note: Copy-paste content only from the open square bracket to the closed square bracket. Ensure that all punctuation marks are retained correctly. Once you have pasted the file, it should look like the image below.

    

17. Click Save.
18. Click API permissions from the left pane.
19. In the Configured permissions section, click ✓ Grant admin consent for <your_company_name>.
20. Click Yes in the pop-up that appears.
21. Click Certificates & secrets from the left pane.
22. Under the Client secrets section, click New client secret.
23. This section generates an app password for M365 Manager Plus. In the Description field of the pop-up, provide a name to identify the app to which the password belongs.
24. Choose when the password should expire.
25. Click Add.
26. Copy the string under Value and save it. This is the Application Secret Key, which you will require later.
27. Go to Certificates and click Upload certificate. Upload your application certificate as a CER file.
28. If the user has an SSL certificate, the same can be used here. Otherwise, click here for steps to create a self-signed certificate.

    Note: Certificate-based authentication is used to contact Microsoft 365 securely and fetch data. During manual configuration, you will be asked to enter your application secret and upload the Application Certificate.

    

29. Now go to the Overview section in the left pane.
30. Copy the Application (client) ID and Object ID values and save them. You will need these values to configure your tenant in the M365 Manager Plus portal.

    

31. Refer to this table to learn about the roles that must be assigned to the application.

Steps to configure an Entra ID application in M365 Manager Plus

1. Return to the M365 Manager Plus console where you have the Configure Microsoft 365 Tenant pop-up.



2. Enter your Tenant Name. For example, test.onmicrosoft.com.
3. Paste the Application ID and Application Object ID values copied in Step 30 into the respective fields.
4. For the Application Secret Key, paste the value copied in Step 26 from the Steps to create an Entra ID application.
5. Upload a PFX file of the certificate that has been uploaded in the Microsoft Entra Admin Center. Refer to Step 27 in the Steps to create an Entra ID application section.
6. Enter your certificate password.
7. If you have an SSL certificate, you can upload the same in the appropriate field.
8. Click Add Tenant.
9. You should now see that REST API access is enabled for the account you configured.

Steps to create an Microsoft 365 service account

1. Login to the Microsoft 365 admin center as a Global Administrator.
2. Click Admin.
3. Navigate to Users → Active users in the left pane.
4. Choose Add a user.
5. Enter the Display name and Username. (First name and Last name are optional)
6. Uncheck "Automatically create password" (if already checked) and provide a password of your choice. Check the box to let the system generate a password for you.
7. Click Next.
8. A service account does not require a license. Hence, select your usage location and Create user without product license radio button.
9. Click Next.
10. Under the Roles option, select Admin center access and choose the required roles (Exchange Admin role is mandatory). Click here to view the list of required roles.
11. Click Next.
12. Choose Finish adding.

Steps to configure a service account in M365 Manager Plus

1. Now the service account must be configured. To do this, click the edit option under the Actions column.
2. Click the edit icon found near Service Account Details.
3. Enter the credentials of the service account you need to configure in the respective fields.
4. Click Update, and close the pop-up window.

   Note: If your service account is MFA-enabled, please check this section.

Steps to create a self-signed certificate

1. Run the following command in Windows PowerShell as an administrator:

   Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process

2. Navigate to the <Installation Directory>\bin folder and run the Create-selfsignedcertificate.ps1 script as an administrator.
3. While running the script, you will be asked to add a common name for the certificate, start and end date (yyyy-MM-dd) for the certificate's validity, and a private key to protect it.
4. Once you enter the values, the script will create a PFX file (contains both public and private key) in the bin folder.
5. The PFX file needs to be uploaded in M365 Manager Plus, while the CER file should be uploaded in the Application Overview page of your Microsoft Entra ID application.