This article explains how to register an application in Azure Active Directory in order to give access to Graph APIs.
The following steps will generate the Client Id and Client Secret needed in your Cloudiway connectors.
Step 1: Create a new Application.
Login to Azure portal using your Office 365 administrator account.
- Go to https://portal.azure.com
- Select Azure Active Directory
- Click on App Registration
- Click on New Registration
Give a name to the application.
Supported Account types: Select Accounts in their Organizational directory Only
Redirect URL is not used. Enter any value. I.e https://notused
Click On Register.
Create a New Secret.
- Click on Certificates and Secrets
- Click On New Client Secret
Enter a description, an expiration date, and Click Add
Save the client secret!
At this step, the Application is created.
Go to the Overview section. Save your Client ID:
The last step before the Graph API Permissions, don’t forget to enable the “Allow public client flows” in Authentication
Step 2: Graph API Permissions
- Click On API Permissions
- Click on Add a permission
- Depending on the scenario, use the table below to determine the permissions to add (Application Type):
| Connector | Graph API | Source | Target |
|---|---|---|---|
| GALSync | Microsoft Graph | Directory.Read.All Group.Read.All User.Read.All OrgContact.Read.All To enable the modification of Guest or Mail user: User.ReadWrite.All To create items as Guests: User.Invite.All | |
| Free/Busy | Microsoft Graph | Calendars.Read | |
| Office 365 Exchange Online ** | full_access_as_app | full_access_as_app | |
| OneDrive | Microsoft Graph | Directory.Read.All Files.Read.All Sites.Read.All Group.Read.All User.Read.All | Directory.Read.All Files.ReadWrite.All Sites.ReadWrite.All Sites.FullControl.All Group.ReadWrite.All User.Read.All |
| Teams | Microsoft Graph | Directory.Read.All Files.Read.All Group.Read.All Group.Read.All (Delegated Type) Group.ReadWrite.All * Group.ReadWrite.All (Delegated Type) Sites.Read.All User.Read.All | Directory.Read.All Files.ReadWrite.All Group.ReadWrite.All Group.ReadWrite.All (Delegated Type) Sites.ReadWrite.All User.ReadWrite.All |
| SharePoint | Microsoft Graph | Directory.Read.All Files.Read.All Group.Read.All Group.ReadWrite.All * Sites.Read.All User.Read.All | Directory.Read.All Files.ReadWrite.All Group.ReadWrite.All Sites.ReadWrite.All User.ReadWrite.All |
* The migration account needs to be Owner and Member of the Group/Team in the source and the target. If it is not Owner and Member of the Team, the migration engine will add it automatically with the permission Group.ReadWrite.All.
** The process for adding the EWS scopes are slightly different and is documented here by Microsoft: https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth
E.g. for Teams connector:
Source >
Target >
- To add permission, click on Microsoft Graph or SharePoint in the list, select Application permissions, and add the relevant permissions.
- When all the permissions are added, close the API select window, click on Grant admin consent.
You’re all set! All you need to do is provide the Client Id and Client Secret in your connector!