Registering with Azure Active Directory

To protect a Microsoft 365 application, you must register the application with Azure Active Directory and grant appropriate permissions. When you register a new application with Azure Active Directory, the application credentials such as application ID and application secret are made available on the Azure Active Directory portal.

Before you begin

Take the following actions:
  • Ensure that you have an active Microsoft 365 subscription.
  • Ensure that you have a Microsoft 365 administrative user ID and password.
    Tip: You can use an automated process to register and configure the Microsoft Azure Active Directory application. For instructions, see technote 6437493.

Procedure

  1. Go to the Microsoft 365 welcome page and sign in to your account by using your Microsoft 365 administrative user ID and password.
  2. To open the Azure Active Directory admin center, in the left pane, click the ellipsis to expand the Show all menu, and then click Admin centers > Azure Active Directory.
  3. To open your tenant dashboard, in the left pane of the Azure Active Directory admin center, click Azure Active Directory.
  4. In the tenant dashboard menu, click App registrations and then click New registration.
  5. To specify a user-facing name for the Microsoft 365 application, on the "Register an application" page, enter a name in the Name field.
  6. Use the default options for the remaining fields, and click Register. The app registration is set up with the user-facing name that you entered.
  7. To obtain the application (client) ID and directory (tenant) ID string, click Azure Active Directory > tenant - App registrations > App name. Then, copy the application ID string and directory ID. These strings will be required later, when you register the Microsoft 365 application with IBM Spectrum® Protect Plus.
  8. To create a client secret for this application ID, click Certificates & secrets > New client secret.
  9. In the "Add a client secret" pane, enter any username in the Description field, and click Add. A client secret is generated, and the value is displayed in the "Client secrets" pane.
  10. Copy the client secret to the clipboard by using the copy facility next to the Client secret value field. This character string is also used for registration with IBM Spectrum Protect Plus.
  11. To add permissions for this application ID, click API permissions > Add permissions.
  12. Specify permissions for each API in the following table by taking the following actions:
    1. Select the API name, for example, Azure Active Directory Graph.
    2. For the remaining permissions, select the Application Permissions type for each permission name for the APIs that are listed in the table.
    3. For the permission name User.Read.All, select the Delegated Permissions type.
    4. For the permission name full_access_as_app, select the APIs my organization uses, and enter Office 365 Exchange Online in the search field.
      Remember: The Microsoft APIs view doesn’t display the API name Office 365 Exchange Online by default.
    API Permission name
    Microsoft Graph Directory.Read.All
    Microsoft Graph User.Read.All
    Office 365 Exchange Online full_access_as_app
    Microsoft Graph Calendars.ReadWrite
    Microsoft Graph Contacts.ReadWrite
    Microsoft Graph Files.ReadWrite.All
    Microsoft Graph Mail.Read
    Microsoft Graph Mail.ReadWrite
    Microsoft Graph Mail.Send
    Microsoft Graph Sites.Read.All
    Microsoft Graph User.Read
    Microsoft Graph User.Read.All
    Microsoft Graph User.ReadWrite.All
  13. To save the selected permissions, click Grant admin consent for your organization name, where your organization name specifies the name of your organization.

What to do next

Follow the instructions in Registering the Microsoft 365 tenant with IBM Spectrum Protect Plus.