Summary: This article contains step-by-step instructions on how to register the application in Azure and grant consent for the Cayosoft Administrator Service to access the managed tenant.
Applies to: Cayosoft Administrator 10.x
ID: KB20240110-1
In this article:
Requirements
MSOnline PowerShell module is required.
Note: This module can be installed automatically using the Cayosoft Administrator Requirements check tool provided as part of the installation download.
Registration from Cayosoft Administrator Console (Recommended Method):
- Open the Cayosoft Administrator Console.
- Navigate to Home > Configuration > Connected Systems Extensions > Microsoft 365.
- Check that the Microsoft 365 connection account is specified.
- Click 'Register application in Azure'.
- Wait until the 'Grant Consent' button appears when the application in Azure is created.
- Click the 'Grant Consent'.
- The Azure AD Sign-in page should appear. Specify a password for Microsoft 365 connection account and click 'Sign in'.
- Scroll down the list of required permissions and click 'Accept':
Important: Do not select the checkbox 'Consent on behalf of your organization ' when accepting permissions.Note: If a specified Microsoft 365 connection account does not have a Global Admin role assigned you will see the error about permissions. As a workaround, you can temporarily delegate the Global Admin role for consent granting.
- After that consent should be fully granted:
Register Azure application and grant consent by PowerShell script
You can install the application and grant the consent by PowerShell script.
To register Azure application and grant admin consent run the script below.
Note: When running the script you will need to specify credentials for the Microsoft 365 connection account.
Set-Variable CayoSoftGraphApiName -option Constant -value "Cayosoft Administrator API Access" # **before v5.4.0 name was "CayosoftGraphApiAccessApp"**
Set-Variable CayoSoftGraphApiRedirectUrl -option Constant -value "https://www.cayosoft.com/cayosoftadminconsentredirect/"
Import-Module MSOnline
Import-Module AzureAD
$OCred = Get-Credential
Connect-MsolService –Credential $OCred
Connect-AzureAD -Credential $OCred
if((Get-AzureADApplication -SearchString $CayoSoftGraphApiName) -ne $Null){
Write-Host "Azure App already exist"
return }
## Assign MS Graph permissions
#Permissions for MS Graph API (Read Azure Directory + Read audit reports)
$requiredAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
$requiredAccess.ResourceAppId = "00000003-0000-0000-c000-000000000000" #Microsoft Graph
$requiredAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
$resourceAccess.Type = "Scope";$resourceAccess.Id = "02e97553-ed7b-43d0-ab3c-f8bace0d040c";
$requiredAccess.ResourceAccess.Add($resourceAccess)
$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
$resourceAccess.Type = "Scope";$resourceAccess.Id = "06da0dbc-49e2-44d2-8312-53f166ab848a";
$requiredAccess.ResourceAccess.Add($resourceAccess)
$requiredAccess2 = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
$requiredAccess2.ResourceAppId = "00000002-0000-0000-c000-000000000000" #Azure AD
$requiredAccess2.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
$resourceAccess.Type = "Scope";$resourceAccess.Id = "311a71cc-e848-46a1-bdf8-97ff7156d8e6";
$requiredAccess2.ResourceAccess.Add($resourceAccess)
#########
## Assign MS Service Communications API permissions
$requiredAccessSC = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
$requiredAccessSC.ResourceAppId = "c5393580-f805-4401-95e8-94b7a6ef2fc2" #Service Communications API
$requiredAccessSC.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
$resourceAccess.Type = "Scope";$resourceAccess.Id = "e2cea78f-e743-4d8f-a16a-75b629a038ae";
$requiredAccessSC.ResourceAccess.Add($resourceAccess)
#########
$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
$requiredResourcesAccess.Add($requiredAccess)
$requiredResourcesAccess.Add($requiredAccess2)
$requiredResourcesAccess.Add($requiredAccessSC)
$createdApp=New-AzureADApplication -DisplayName $CayoSoftGraphApiName -PublicClient $True -ReplyUrls @($CayoSoftGraphApiRedirectUrl) -AvailableToOtherTenants $False -RequiredResourceAccess $requiredResourcesAccess
$appId = $createdApp.AppId
Write-Host "Azure App Id:$appId"
$u=Get-MsolUser -SearchString $OCred.UserName
Write-Host "User ObjectId for Azure App: $($u.ObjectId)"
$appServ=New-AzureADServicePrincipal -AppId $appId -DisplayName $CayoSoftGraphApiName -AccountEnabled $True -Tags {WindowsAzureActiveDirectoryIntegratedApp}
New-AzureADUserAppRoleAssignment -ResourceId $appServ.ObjectId -PrincipalId $u.ObjectId -Id ([Guid]::Empty) -ObjectId $u.ObjectId
Disconnect-AzureAD -Confirm:$False
#
Remove Azure Application by Script
The Azure application can be removed by the PowerShell script below.
Note: When running the script you will need to specify credentials for the Microsoft 365 connection account.
$OCred = Get-Credential
Set-Variable CayoSoftGraphApiName -option Constant -value "Cayosoft Administrator API Access" # **before v5.4.0 name was "CayosoftGraphApiAccessApp"**
Import-Module AzureAD
Connect-AzureAD -Credential $OCred
$app=Get-AzureADApplication -SearchString $CayoSoftGraphApiName
if($app -ne $Null){ Remove-AzureADApplication -ObjectId $app.ObjectId }
$serpr=Get-AzureADServicePrincipal -SearchString $CayoSoftGraphApiName
if($serpr -ne $Null){ Remove-AzureADServicePrincipal -ObjectId $serpr.ObjectId }
Disconnect-AzureAD -Confirm:$False
Comments
0 comments
Please sign in to leave a comment.