Cayosoft Azure Admin Consent for Microsoft Graph API Assignment Details

Summary: Microsoft Graph API provides a single end-point for web service calls that can be used to collect audit and reporting information about Azure and Office 365. By granting Admin Consent to read API data, Cayosoft Administrator is now able to collect data using a modern web service provided by Microsoft.

Applies to: Cayosoft Administrator 5.3.x

ID: KB20170727-1

In this article: 

Requirements

Microsoft AzureAD and MSOnline PowerShell modules are required, please see details in this KB article: KB20131202-1 Required components to work with Azure AD and Office 365 Services: Exchange Online, SharePoint Online, Skype for Business Online

Note: These modules can be installed automatically using the Cayosoft Administrator Requirements check-tool provided as part of the installation download.

Installation from Cayosoft Administrator (Recommended Method):

1. Open the Cayosoft Administrator Console
2. Navigate to Microsoft Office 365 Extension
3. Expand the Admin Consent to Azure API-s section
4. Click the Grant button
   The Azure AD Logon Page should appear
5. Enter the Cayosoft Office 365 Service Account user name
6. Click Next
7. Enter the service account's password
8. Click Sign-in
9. When prompted check the Consent on behalf of your organization
10. Click Accept
11. Close the web browser
12. Re-open the Cayosoft Administrator Console
13. Navigate to Microsoft Office 365 Extension
14. Expand the Admin Consent to Azure API-s section
15. Click Refresh

Register Azure application and grant consent by PowerShell script

You can install the application and grant the consent by PowerShell script.

1. Install PowerShell modules Azure AD and MSOnline as it described in KB article: KB20131202-1 Required components to work with Azure AD and Office 365 Services: Exchange Online, SharePoint Online, Skype for Business Online
2. Register Azure application and grant admin consent. 
   Note: When running the script below you'll need to enter Office 365 credentials for the account that is used in Cayosoft Administrator Office 365 extension (HOME > CONFIGURATION > Microsoft Office 365).
   Important: In previous versions, the application name was "CayosoftGraphApiAccessApp". You need to use this name in the first script line if you're on v5.3.3 and earlier.
   

   Set-Variable CayoSoftGraphApiName -option Constant -value "Cayosoft Administrator API Access" Set-Variable CayoSoftGraphApiRedirectUrl -option Constant -value "https://www.cayosoft.com/cayosoftadminconsentredirect/" Import-Module MSOnline Import-Module AzureAD $OCred = Get-Credential Connect-MsolService –Credential $OCred Connect-AzureAD -Credential $OCred if((Get-AzureADApplication -SearchString $CayoSoftGraphApiName) -ne $Null) { Write-Host "Azure App already exist" return } ## Assign MS Graph permissions #Permissions for MS Graph API (Read Azure Directory + Read audit reports) $requiredAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess $requiredAccess.ResourceAppId = "00000003-0000-0000-c000-000000000000" #Microsoft Graph $requiredAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess] $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess $resourceAccess.Type = "Scope";$resourceAccess.Id = "02e97553-ed7b-43d0-ab3c-f8bace0d040c"; $requiredAccess.ResourceAccess.Add($resourceAccess) $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess $resourceAccess.Type = "Scope";$resourceAccess.Id = "06da0dbc-49e2-44d2-8312-53f166ab848a"; $requiredAccess.ResourceAccess.Add($resourceAccess) $requiredAccess2 = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess $requiredAccess2.ResourceAppId = "00000002-0000-0000-c000-000000000000" #Azure AD $requiredAccess2.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess] $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess $resourceAccess.Type = "Scope";$resourceAccess.Id = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"; $requiredAccess2.ResourceAccess.Add($resourceAccess) ######### ## Assign MS Service Communications API permissions $requiredAccessSC = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess $requiredAccessSC.ResourceAppId = "c5393580-f805-4401-95e8-94b7a6ef2fc2" #Service Communications API $requiredAccessSC.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess] $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess $resourceAccess.Type = "Scope";$resourceAccess.Id = "e2cea78f-e743-4d8f-a16a-75b629a038ae"; $requiredAccessSC.ResourceAccess.Add($resourceAccess) ######### $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess] $requiredResourcesAccess.Add($requiredAccess) $requiredResourcesAccess.Add($requiredAccess2) $requiredResourcesAccess.Add($requiredAccessSC) $createdApp=New-AzureADApplication -DisplayName $CayoSoftGraphApiName -PublicClient $True -ReplyUrls @($CayoSoftGraphApiRedirectUrl) -AvailableToOtherTenants $False -RequiredResourceAccess $requiredResourcesAccess $appId = $createdApp.AppId Write-Host "Azure App Id:$appId" $u=Get-MsolUser -SearchString $OCred.UserName Write-Host "User ObjectId for Azure App: $($u.ObjectId)" $appServ=New-AzureADServicePrincipal -AppId $appId -DisplayName $CayoSoftGraphApiName -AccountEnabled $True -Tags {WindowsAzureActiveDirectoryIntegratedApp} New-AzureADUserAppRoleAssignment -ResourceId $appServ.ObjectId -PrincipalId $u.ObjectId -Id ([Guid]::Empty) -ObjectId $u.ObjectId Disconnect-AzureAD -Confirm:$False #

Remove Azure Application by Script

The Azure application can be removed by the PowerShell script below.
Note: When running the script you'll need to enter Office 365 credentials for the account that is used in Cayosoft Administrator Office 365 extension.

Important: In previous versions, the application name was "CayosoftGraphApiAccessApp". You need to use this name in the first script line if you're on v5.3.3 and earlier.

$OCred = Get-Credential
Set-Variable CayoSoftGraphApiName -option Constant -value "Cayosoft Administrator API Access"
Import-Module AzureAD
Connect-AzureAD -Credential $OCred
$app=Get-AzureADApplication -SearchString $CayoSoftGraphApiName
if($app -ne $Null){ Remove-AzureADApplication -ObjectId $app.ObjectId }
$serpr=Get-AzureADServicePrincipal -SearchString $CayoSoftGraphApiName
if($serpr -ne $Null){ Remove-AzureADServicePrincipal -ObjectId $serpr.ObjectId }
Disconnect-AzureAD -Confirm:$False

Related Articles

How to grant admin consent to Azure APIs and connect to the Microsoft Graph API

KB20180823-1 Troubleshooting Cayosoft Administrator Grant Consent

KB20131202-1 Required components to work with Azure AD and Office 365 Services: Exchange Online, SharePoint Online, Skype for Business Online