Manual Microsoft 365 tenant configuration
If the automatic configuration was not successful due to permission issues, the tenant must be configured manually. To do that, go to Org/Tenant Settings, click Add Tenant, and select Click here to configure with an already existing Azure AD application. Please note that you can also opt to configure manually and skip the automatic configuration altogether with the option provided.
Prerequisite: A service user account with at least View-Only Organization Management, View-Only Audit Logs, and Service Administrator permissions. Click here to learn how to create a Microsoft 365 service account.
Manual tenant configuration involves the following three steps:
- Create an Azure AD application.
- Configure the Azure AD application in Exchange Reporter Plus.
- Configure a service account in Exchange Reporter Plus.
Steps to create an Azure AD application
- Sign in to the Azure AD portal using the credentials of a Global Administrator account.
- Select Azure Active Directory from the left pane.
- Select App registrations.
- Click New registration.
- Provide a Name for the Exchange Reporter Plus application to be created.
- Select a supported account type based on your organizational needs.
- Leave Redirect URI (optional) blank; you will configure it in the next few steps.
- Click Register to complete the initial app registration.
- You will now see the Overview page of the registered application.
- Click Add a Redirect URI.
- Click Add a platform under Platform configurations.
- In the Configure platforms pop-up, click Web under Web applications.
- In the Redirect URI field, enter http://localhost:port_number/webclient/VerifyUser. For example, http://localhost:8181/webclient/VerifyUser or https://192.345.679.345:8181/webclient/VerifyUser.
- You can leave the Logout URL and Implicit grant fields empty. Click Configure.
- On the Authentication page, under Redirect URIs, click Add URI.
- Enter http://localhost:port_number/webclient/ GrantAccess as the Redirect URI. For example, http://localhost:8181/webclient/GrantAccess or https://192.345.679.345:8181/webclient/GrantAccess.
- Similarly, using the Add URI option, add http://localhost:port_number/AADAppGrantSuccess.do and http://localhost:port_number/AADAuthCode.do as URIs as well.
- Again click Add URI to add the below REDIRECT URIs in the subsequent rows. Please note that for users with Exchange Reporter Plus build 5607 or higher, REDIRECT URIs (b) and (c) are optional.
- https://identitymanager.manageengine.com/api/public/v1/oauth/redirect
- https://demo.o365managerplus.com/oauth/redirect
- https://manageengine.com/microsoft-365-management-reporting/redirect.html
Note: The REDIRECT URI must adhere to the following:
- Click Save.
- Click Manifest from the left pane.
- Look for the requiredResourceAccess array in the code.
- Copy the entire contents from this file and paste them into the section highlighted in the image below. If you want to modify the permissions to be provided, skip this step and follow the steps mentioned in this section.
Application scopes mentioned in the manifest file:
Microsoft Graph scopes
- Domain.ReadWrite.All
- AuditLog.Read.All
- Directory.Read.All
- Reports.Read.All
- User.Read.All
- ActivityFeed.Read
- ServiceHealth.Read
To know more about minimum scopes, click here.
Note:
- If your tenant is being created in Azure China, copy the content below and paste it into the section highlighted in the image below.
[
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
},
{
"id": "798ee544-9d2d-430c-a058-570e29e34338",
"type": "Role"
},
{
"id": "da2af54a-6152-42e3-9911-6accce0d5d67",
"type": "Role"
},
{
"id": "e85629e1-bdf6-470f-821c-f66c4fb9cbe2",
"type": "Role"
}
]
},
{
"resourceAppId": "c5393580-f805-4401-95e8-94b7a6ef2fc2",
"resourceAccess": [
{
"id": "594c1fb6-4f81-4475-ae41-0c394909246c",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "abefe9df-d5a9-41c6-a60b-27b38eac3efb",
"type": "Role"
}
]
}
]
Note: Copy-paste content only from the open square bracket to the closed square bracket. Ensure that all punctuation marks are retained correctly. Once you have pasted the file, it should look like the image below.
- Click Save.
- Click API permissions from the left pane.
- In the Configured permissions section, click ✓ Grant admin consent for <your_company_name>.
- Click Yes in the pop-up that appears.
- Click Certificates & secrets from the left pane.
- Under the Client secrets section, click New client secret.
- This section generates an app password for Exchange Reporter Plus. In the Description field of the pop-up, provide a name to identify the app to which the
password belongs.
- Choose when the password should expire.
- Click Add.
- Copy the string under Value and save it. This is the Application Secret Key, which you will require later.
- Go to Certificates and click Upload certificate. Upload your application certificate as a .cer file.
- If the user has an SSL certificate, the same can be used here. Otherwise, click here for steps to create a self-signed certificate.
Note: Certificate-based authentication is used to contact Microsoft 365 securely and fetch data. During manual configuration, you will be asked to enter your application Secret and upload the Application Certificate.
- Now go to the Overview section in the left pane.
- Copy the Application (client) ID and Object ID values and save them. You will need these values to configure your tenant in the Exchange Reporter Plus portal.
- Go to the App Roles tab and assign the minimum permissions required for the application. Refer to this table to learn about the roles that must be assigned.
Steps to configure the Azure application in Exchange Reporter Plus
- Return to the Exchange Reporter Plus console.
- Go to Org/Tenant Settings and select Click here to configure with an already existing Azure AD application.
- You will be taken to the Configure Microsoft 365 Tenant page.
- Enter your Tenant Name. For example, test.onmicrosoft.com.
- Paste the Application ID and Application Object ID values copied in Step 34 of the previous section into the respective fields.
- For the Application Secret Key, paste the value copied in Step 32.
- Upload a .pfx file of the certificate that has been uploaded in the Azure portal.
- Enter your certificate password.
- If you have an SSL certificate, you can upload the same in the appropriate field.
- Click Add Tenant.
- You should now see that REST API access is enabled for the account you configured.
Steps to configure a service account in Exchange Reporter Plus
- Now the service account must be configured in Exchange Reporter Plus. To do this, click the edit option under the Actions column.
- Click the edit icon found near Service Account Details.
- Enter the credentials of the service account you need to configure in the respective fields.
- Click Update, and close the pop-up window.
Note: If your service account is MFA-enabled, please check
this section.
Steps to create a self-signed certificate
- If you require a self signed certificate, go to <Installation Directory>\bin folder and run the Create-selfsignedcertificate.ps1 script as administrator.
- Before executing the script, run the following command:
Set-ExecutionPolicy -ExecutionPloicy RemoteSinged -Force -Scope process
- While running the script, you will be asked to add a common name for the certificate, start and end date (yyyy-MM-dd) for the certificate's validity and a private key to protect it.
- Once you enter the values, the script will create a .pfx file (contains both public and private key) in the bin folder
- The .pfx file needs to be uploaded in M365 Manager Plus, while the .cer file should be uploaded in the Azure portal of your application.