To configure the M365 bundle it must be done by a person with admin rights on your Microsoft tenant and who has access to your Azure Portal.
Required User Roles: Only Global Admins or Account Admins have permissions to add connector plans.
Required M365 Licenses: Minimum M365 Business Basic Plan. Plans that do not meet this level will generate Connector errors.
Connecting Microsoft Exchange, Microsoft OneDrive, and Microsoft Teams
In order to connect SaaSAssure to Microsoft Exchange, Microsoft OneDrive, or Microsoft Teams you will need to add the following items to the connector configuration:
- Client Secret
- Azure Tenant ID (A.K.A Directory ID)
- Application (Client) ID
You also need to setup the scopes and permissions for SaaSAssure to interact with M365.
Once you have generated the required IDs, secret, and assigned permissions entered the information into SaaSAssure and clicked on the 'Continue' button. SaaSAssure will attempt to connect to your M365 tenant and the associated SaaS application you've configured.
If the integration was successful you will see a success notification displayed, if there were issues an error message will display.
How to Generate an Application (Client) ID Azure Tenant ID
1. Log into your Azure Portal https://portal.azure.com
2. Under the Azure Services header select 'Microsoft Entra ID'
3. Select 'App registrations'
4. Click on 'New registration', this will open the Register an application form.
5. Enter a name, it is recommend to use something that denotes this is for the SaaSAssure integration.
6. Under the Supported account type and set it to 'Accounts in this organization directory only'.
7. Under Redirect URI (optional) select 'Web' and past the following URL: https://ui.na.saasassure.com/connectors-add
8. Click the 'Register' button.
9. You will be taken to the application overview page, which will list both the Application (Client) ID and the Directory (Tenant) ID.
10. Don't leave the Azure Portal yet continue to the 'How to generate a Client Secret' steps below.
How to Generate a Client Secret
1. While on the application overview page that lists the Application (Client) ID and the Directory (Tenant) ID, under the 'Manage' menu find and click on the 'Certificates & secrets' link in the side menu.
2. Click on the '+ New client secret' link. This will open a new side panel form.
3. Add a description (name) for this key. It is recommended that the description notes this is for a SaaSAssure integration.
4. Set an expiry that fits your organizations needs. Note that once this certificate/secret pair expired you will need to generate a new pair and update SaaSAssure to maintain the integration.
5. Click 'add' to generate the new client secret.
6. Once the secret has been generated copy the string under the Value column.
Important Note: Client Secret values are only visible immediately after their creation. Be sure to copy and save the secret in the same way you would securely manage a password.
7. Don't leave the Azure Portal yet, stay on the this page and continue to the 'Adding Required Scopes and Permissions' steps below.
Adding Required Scopes and Permissions
1. Within the menu on the left-hand site click on 'API permissions'.
2. Click on 'Add permissions'.
3. Select 'Microsoft Graph'.
4. Select 'Application permissions', which will open the permissions category list.
5. Please set all applicable permissions listed below (please note that some versions of Microsofts applications have different permission sets available, select any applicable permissions):
For Exchange please add the following permissions:
| API | Permission Require |
| Calendars | Calendars.ReadWrite |
| Contacts | Contacts.ReadWrite |
| Directory | Directory.ReadWrite.All |
| Mailboxsettings | Mailbox.Setting.ReadWrite |
| Mail.ReadWrite |
For OneDrive please add the following permissions:
| API | Permission Require |
| Directory | Directory.ReadWrite.All |
| Files | Files.ReadWrite.All |
For Teams please add the following permissions:
| API | Permission Require |
| AppCatalog | AppCatalog.ReadWrite.All |
| CallRecord-PstnCalls | CallRecord-PstnCalls.Read.All |
| CallRecord | CallRecords.Read.All |
| Channel | 'Channel.Create' and 'Channel.ReadBasic.All' |
| ChannelMember | 'ChannelMember.ReadWrite.All' |
| ChannelMessage | 'ChannelMessage.Read.All' and 'ChannelMessage.UpdatePolicyViolation.All' |
| ChannelSettings | ChannelSettings.ReadWrite.All |
| Chat | Chat.ReadWrite.All |
| ChatMember | ChatMember.ReadWrite.All |
| Directory | Directory.ReadWrite.All |
| GroupMember | GroupMember.ReadWrite.All |
| MailboxSettings | MailboxSettings.ReadWrite |
| Presence | Presence.ReadWrite.All |
| Scheduled | Schedule.ReadWrite.All |
| TeamMember | TeamMember.ReadWrite.All |
| TeamsActivity | TeamsActivity.ReadWrite.All |
| TeamSettings | TeamSettings.ReadWrite.All |
| TeamsTab | TeamsTab.ReadWrite.All |
| Team | Team.Create |
6. Click 'Add permissions'
7. This will add the permissions to the API/Permissions list noting 'Not granted for app_name'. To grant the permissions a Global Admin user needs to click the 'Grant Admin Consent for company_name' which will display above the API / Permissions list to the right of the 'Add a permission' button.
8. Confirm granting the permissions by clicking 'Yes'
9. You should now see 'Granted for company_name'
Connecting Microsoft SharePoint
Microsoft SharePoint uses a slightly different authorization method compared to the other Microsoft SaaS application.
The authorization for SharePoint is based on SharePoint domain (URL) and an admin user's credentials.
The user adding the SharePoint domain must have the user role or M365 Global Admin or be a SharePoint admin.
To backup any SharePoint site the user must be a Site Admin for that SharePoint site or the system will skip backing up that site.
Supplemental Resources
PowerShell scripts to automate the application of the required permissions for Exchange, OneDrive and Teams:
Important Related Articles: