Summary: Microsoft Graph API provides a single end-point for web service calls that can be used to collect audit and reporting information about Azure and Office 365. By granting Admin Consent to read API data, Cayosoft Administrator is now able to collect data using a modern web service provided by Microsoft.
Applies to: Cayosoft Administrator 5.3.x
ID: KB20170727-1
In this article:
Requirements
Microsoft AzureAD and MSOnline PowerShell modules are required, please see details in this KB article: KB20131202-1 Required components to work with Azure AD and Office 365 Services: Exchange Online, SharePoint Online, Skype for Business Online
Note: These modules can be installed automatically using the Cayosoft Administrator Requirements check-tool provided as part of the installation download.
Installation from Cayosoft Administrator (Recommended Method):
- Open the Cayosoft Administrator Console
- Navigate to Microsoft Office 365 Extension
- Expand the Admin Consent to Azure API-s section
- Click the Grant button
The Azure AD Logon Page should appear - Enter the Cayosoft Office 365 Service Account user name
- Click Next
- Enter the service account's password
- Click Sign-in
- When prompted check the Consent on behalf of your organization
- Click Accept
- Close the web browser
- Re-open the Cayosoft Administrator Console
- Navigate to Microsoft Office 365 Extension
- Expand the Admin Consent to Azure API-s section
- Click Refresh
Register Azure application and grant consent by PowerShell script
You can install the application and grant the consent by PowerShell script.
- Install PowerShell modules Azure AD and MSOnline as it described in KB article: KB20131202-1 Required components to work with Azure AD and Office 365 Services: Exchange Online, SharePoint Online, Skype for Business Online
- Register Azure application and grant admin consent.
Note: When running the script below you'll need to enter Office 365 credentials for the account that is used in Cayosoft Administrator Office 365 extension (HOME > CONFIGURATION > Microsoft Office 365).
Important: In previous versions, the application name was "CayosoftGraphApiAccessApp". You need to use this name in the first script line if you're on v5.3.3 and earlier.
Set-Variable CayoSoftGraphApiName -option Constant -value "Cayosoft Administrator API Access" Set-Variable CayoSoftGraphApiRedirectUrl -option Constant -value "https://www.cayosoft.com/cayosoftadminconsentredirect/" Import-Module MSOnline Import-Module AzureAD $OCred = Get-Credential Connect-MsolService –Credential $OCred Connect-AzureAD -Credential $OCred if((Get-AzureADApplication -SearchString $CayoSoftGraphApiName) -ne $Null) { Write-Host "Azure App already exist" return } ## Assign MS Graph permissions #Permissions for MS Graph API (Read Azure Directory + Read audit reports) $requiredAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess $requiredAccess.ResourceAppId = "00000003-0000-0000-c000-000000000000" #Microsoft Graph $requiredAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess] $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess $resourceAccess.Type = "Scope";$resourceAccess.Id = "02e97553-ed7b-43d0-ab3c-f8bace0d040c"; $requiredAccess.ResourceAccess.Add($resourceAccess) $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess $resourceAccess.Type = "Scope";$resourceAccess.Id = "06da0dbc-49e2-44d2-8312-53f166ab848a"; $requiredAccess.ResourceAccess.Add($resourceAccess) $requiredAccess2 = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess $requiredAccess2.ResourceAppId = "00000002-0000-0000-c000-000000000000" #Azure AD $requiredAccess2.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess] $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess $resourceAccess.Type = "Scope";$resourceAccess.Id = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"; $requiredAccess2.ResourceAccess.Add($resourceAccess) ######### ## Assign MS Service Communications API permissions $requiredAccessSC = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess $requiredAccessSC.ResourceAppId = "c5393580-f805-4401-95e8-94b7a6ef2fc2" #Service Communications API $requiredAccessSC.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess] $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess $resourceAccess.Type = "Scope";$resourceAccess.Id = "e2cea78f-e743-4d8f-a16a-75b629a038ae"; $requiredAccessSC.ResourceAccess.Add($resourceAccess) ######### $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess] $requiredResourcesAccess.Add($requiredAccess) $requiredResourcesAccess.Add($requiredAccess2) $requiredResourcesAccess.Add($requiredAccessSC) $createdApp=New-AzureADApplication -DisplayName $CayoSoftGraphApiName -PublicClient $True -ReplyUrls @($CayoSoftGraphApiRedirectUrl) -AvailableToOtherTenants $False -RequiredResourceAccess $requiredResourcesAccess $appId = $createdApp.AppId Write-Host "Azure App Id:$appId" $u=Get-MsolUser -SearchString $OCred.UserName Write-Host "User ObjectId for Azure App: $($u.ObjectId)" $appServ=New-AzureADServicePrincipal -AppId $appId -DisplayName $CayoSoftGraphApiName -AccountEnabled $True -Tags {WindowsAzureActiveDirectoryIntegratedApp} New-AzureADUserAppRoleAssignment -ResourceId $appServ.ObjectId -PrincipalId $u.ObjectId -Id ([Guid]::Empty) -ObjectId $u.ObjectId Disconnect-AzureAD -Confirm:$False #
Remove Azure Application by Script
The Azure application can be removed by the PowerShell script below.
Note: When running the script you'll need to enter Office 365 credentials for the account that is used in Cayosoft Administrator Office 365 extension.
Important: In previous versions, the application name was "CayosoftGraphApiAccessApp". You need to use this name in the first script line if you're on v5.3.3 and earlier.
|
Related Articles
How to grant admin consent to Azure APIs and connect to the Microsoft Graph API
KB20180823-1 Troubleshooting Cayosoft Administrator Grant Consent
Comments
0 comments
Please sign in to leave a comment.