Manual Microsoft 365 tenant configuration

If the automatic configuration was not successful due to permission issues, the tenant must configured manually. To do that, select Click here to configure with an already existing Azure AD application. Please note that you can also opt to configure manually and skip the automatic configuration altogether with the option provided.

Prerequisite: A service user account with at least View-Only Organization Management, View-Only Audit Logs, and Service Administrator permissions. Click here to learn how to create a Microsoft 365 service account.

Manual tenant configuration involves the following three steps:

  1. Create an Azure AD application
  2. Configure the Azure AD application in M365 Manager Plus
  3. Configure a service account in M365 Manager Plus

Manual Microsoft 365 tenant configuration

Steps to create an Azure AD application

  1. Sign in to the Azure AD portal using the credentials of a Global Administrator account.
  2. Select Azure Active Directory from the left pane.
  3. Select App registrations.
  4. Click New registration.
  5. Provide a Name for the M365 Manager Plus application to be created.
  6. Select a supported account type based on your organizational needs.
  7. Leave Redirect URI (optional) blank; you will configure it in the next few steps.
  8. Click Register to complete the initial app registration.
  9. You will now see the Overview page of the registered application.
  10. Click Add a Redirect URI.
  11. Click Add a platform under Platform configurations.
  12. In the Configure platforms pop-up, click Web under Web applications.
  13. In the Redirect URI field, enter http://localhost:port_number/webclient/VerifyUser. For example, http://localhost:8365/webclient/VerifyUser or https://192.345.679.345:8365/webclient/VerifyUser.
  14. You can leave the Logout URL and Implicit grant fields empty. Click Configure.
  15. On the Authentication page, under Redirect URIs, click Add URI.
  16. Enter http://localhost:port_number/webclient/ GrantAccess as the Redirect URI. For example, http://localhost:8365/webclient/GrantAccess or https://192.345.679.345:8365/webclient/GrantAccess.
  17. Similarly, using the Add URI option add http://localhost:port_number/AADAppGrantSuccess.do and http://localhost:port_number/AADAuthCode.do as URIs as well.
  18. Again click Add URI to add the below REDIRECT URIs in the subsequent rows. Please note that for users with M365 Manger Plus build 4409 or higher, REDIRECT URIs (b) and (c) are optional.
    • https://identitymanager.manageengine.com/api/public/v1/oauth/redirect
    • https://demo.o365managerplus.com/oauth/redirect
    • https://manageengine.com/microsoft-365-management-reporting/redirect.html
    • Manual Microsoft 365 tenant configuration

      Note: The REDIRECT URI must adhere to the following:

      • It must be fewer than 256 characters in length.
      • It should not contain wildcard characters.
      • It should not contain query strings.
      • It must start with HTTPS or http://localhost.
      • It must be a valid and unique URL. Based on the connection type (http/https) you have configured in M365 Manager Plus, the REDIRECT URI format varies.
      • For http, the URI value is http://localhost:8365. Machine name or IP address cannot be used in place of localhost if http is used.
      • For https, the URI value is https://192.345.679.345:8365 or https://testmachine:8365.

      To find your machine's IP, open the Command Prompt, type ipconfig, and click enter. You can find your IPv4 Address in the results shown.

  19. Click Save.
  20. Click Manifest from the left pane.
  21. Look for requiredResourceAccess array in the code.
  22. Copy the entire contents from this file and paste them into the section highlighted in the image below. If you want to modify the permissions to be provided, skip this step and follow the steps mentioned in this section.
  23. Application scopes mentioned in the file

    Microsoft Graph scopes

    • Application.ReadWrite.All
    • Directory.ReadWrite.All
    • Mail.ReadWrite
    • Sites.ReadWrite.All
    • Reports.Read.All
    • AuditLog.Read.All
    • User.ReadWrite.All
    • RoleManagement.ReadWrite.Directory
    • ServiceHealth.Read.All
    • Policy.Read.All
    • Calendars.Read
    • AdministrativeUnit.ReadWrite.All
    • ChannelMember.Read.All (not available in Chinese tenant)
    • Group.ReadWrite.All

    Office 365 management API scopes

    • ActivityFeed.Read
    • ActivityFeed.ReadDlp

    Office 365 Exchange Online

    • full_access_as_app

    SharePoint Online API scopes

    • Sites.Read.All
    • Sites.FullControl.All

    Learn more about minimum scopes.

    Note:
    • If your tenant is being created in Azure China, copy the entire contents from this file and paste them into the section highlighted in the image below.

    Manual Microsoft 365 tenant configuration

    Note: Copy-paste content only from the open square bracket to the closed square bracket. Ensure that all punctuation marks are retained correctly. Once you have pasted the file, it should look like the image below.

    Manual Microsoft 365 tenant configuration

  24. Click Save.
  25. Click API permissions from the left pane.
  26. In the Configured permissions section, click ✓ Grant admin consent for <your_company_name>.
  27. Click Yes in the pop-up that appears.
  28. Click Certificates & secrets from the left pane.
  29. Under the Client secrets section, click New client secret.
  30. This section generates an app password for M365 Manager Plus. In the Description field of the pop-up, provide a name to identify the app to which the password belongs.
  31. Choose when the password should expire.
  32. Click Add.
  33. Copy the string under Value and save it. This is the Application Secret Key, which you will require later.
  34. Go to Certificates and click Upload certificate. Upload your application certificate as a .cer file.
  35. If the user has an SSL certificate, the same can be used here. Otherwise, click here for steps to create a self-signed certificate.
  36. Note: Certificate-based authentication is used to contact Microsoft 365 securely and fetch data. During manual configuration, you will be asked to enter your application Secret and upload the Application Certificate.

    Manual Microsoft 365 tenant configuration

  37. Now go to the Overview section in the left pane.
  38. Copy the Application (client) ID and Object ID values and save them. You will need these values to configure your tenant in the M365 Manager Plus portal.
  39. Manual Microsoft 365 tenant configuration

  40. Refer to this table to learn about the roles that must be assigned to the application.

Steps to configure an Azure application in M365 Manager Plus

  1. Return to the M365 Manager Plus console where you have the pop-up.
  2. Manual Microsoft 365 tenant configuration

  3. Enter your Tenant Name. For example, test.onmicrosoft.com.
  4. Paste the Application ID and Application Object ID values copied in Step 34 into the respective fields.
  5. For the Application Secret Key, paste the value copied in Step 32.
  6. Upload a .pfx file of the certificate that has been uploaded in the Azure portal. Refer to Step 34 in the Steps to create an Azure AD application section.
  7. Enter your certificate password.
  8. If you have an SSL certificate, you can upload the same in the appropriate field.
  9. Click Add Tenant.
  10. You should now see that REST API access is enabled for the account you configured.

Steps to configure a service account in M365 Manager Plus

  1. Now the service account must be configured. To do this, click the edit option under the Actions column.
  2. Click the Edit icon found near Service Account Details.
  3. Enter the credentials of the service account you need to configure in the respective fields.
  4. Click Update, and close the pop-up window.
Note: If your service account is MFA-enabled, please check this section.

Steps to create a self-signed certificate

  1. Open PowerShell as an administrator and navigate to <Installation Directory>\bin.
  2. Run the following command: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process
  3. Now, run the Create-selfsignedcertificate.ps1 script.
  4. While running the script, you will be asked to add a common name for the certificate, start and end date (yyyy-MM-dd) for the certificate's validity and a private key to protect it.
  5. Once you enter the values, the script will create a .pfx file (contains both public and private key) in the bin folder
  6. The .pfx file needs to be uploaded in M365 Manager Plus, while the .cer file should be uploaded in the Azure portal of your application.

Copyright © 2023, ZOHO Corp. All Rights Reserved.