Sure, you can handle it. But should you?
Let our experts manage the tech maintenance while you focus on your business.
Let our experts manage the tech maintenance while you focus on your business.
Installation and Configuration
Microsoft Graph Connector
Copyright ©
Mindbreeze GmbH, A-4020 Linz, 2024.
All rights reserved. All hardware and software names used are brand names and/or trademarks of their respective manufacturers.
These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.
For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.
Introduction
Using the Microsoft Graph connector, all users in your Microsoft Graph instance can be indexed so that they can be found in the Mindbreeze search.
Configuring Microsoft Graph/Azure
Creating the Application in Azure
To enable crawling the Microsoft Graph, a new app must first be created that has the permissions to read Microsoft Graph. This app can be created on portal.azure.com.
To create or register the app, navigate to "Azure Active Directory" -> "App registrations" and click on the "New registration" button:
After the app has been created, a secret must be generated so that the crawler can actually log in. This is normally requested automatically after the app has been created. Otherwise, click on the desired app under "App registrations" -> "Owned applications" and then create the secret under "Certificates & secrets" -> "New client secret".
When creating the secret, you can set the expiration time. We recommend a runtime of 6-12 months, so that the secret is changed regularly.
Note: You must copy the created secret so that you can enter it directly in the Mindbreeze configuration. You can add the secret in the Network tab under the "Credentials" area by clicking on the "Add Credential" button.
When you leave the page, you can no longer have a look at the secret.
Now you have to give the app the required permissions. To do this, navigate to "API permissions". The Microsoft Graph Crawler needs the following Application Permissions in Microsoft Graph:
- User.Read.All
After you have given the app the permission, you have to grant "admin consent". Use the button "Grant admin consent for <MyInstance>" for this:
Configuring Mindbreeze
Configuring the index
In the Indices tab, add a new index using the +Add Index button. Select the desired Index Node and Client Service and specify the Microsoft Graph data source in the Data Source field. Then confirm your entries with the Apply button
Configuring the data source
Now configure the data source.
Legend:
- Properties marked with *: mandatory field, these must be configured explicitly
- Properties not specially marked: optional fields
- Fields marked with (Advanced Settings) are only displayed if the "Advanced Settings" view is enabled in the configuration. This is only necessary in special use cases.
Section „Connection Settings“
In the "Connection Settings" area you can define your Microsoft Graph instance to be indexed. The following options are available:
Graph Service Root (Advanced Settings) | The endpoint/URL of the Microsoft Graph API. By default, "https://graph.microsoft.com". Change this setting only if you are using a national (non-international) Microsoft Cloud. A list of all available national Microsoft Graph endpoints can be found below. |
Azure AD Url (Advanced Settings) | The endpoint/URL to the Azure Active Directory. By default, "https://login.microsoftonline.com". Change this setting only if you are using a national (non-international) Microsoft Cloud. A list of all available national Azure AD endpoints can be found below. |
Trust all SSL certificates (Advanced Settings) | Allows the use of non-secured connections, for example for test systems. Must not be enabled in production. |
Tenant ID* | The Tenant ID of your Microsoft 365 instance. You can find this on the Overview page of the app you created in Azure. |
App ID* | The Application (Client) ID of the app created in Azure. |
Client Secret* | The Credential created in the Network tab, which contains the created Client Secret. |
Crawler Thread Count | Number of threads used for indexing. |
Log All Requests | If this option is enabled, all requests against the Graph API are written to a logfile. Should only be activated for troubleshooting. |
Get Metadata From Profile (Advanced Settings) | If this option is enabled, additional Metadata is fetched from the profile endpoint. This information includes, skills, languages, projects, etc. |
Include Additional User Info | If this option is enabled, additional information about each user is fetched. More information on which additional metadata will be included can be found below. |
Enable Delta Crawl | As long as this option is enabled, the crawler only fetches all users from Microsoft Teams during the first crawl run, after that, only changes to users (new user, user edited, user deleted, etc.) are fetched. With this setting a better performance can be achieved Only deactivate this option if there is an inconsistency between the index and the actual Users in Microsoft Graph. |
Use Profile Picture as Thumbnail | If this option is enabled, the user's profile picture in Microsoft Graph will be used as a thumbnail in the Mindbreeze search. |
Available national Microsoft Graph endpoints
Microsoft Graph global service | https://graph.microsoft.com |
Microsoft Graph for US Government L4 | https://graph.microsoft.us |
Microsoft Graph for US Government L5 (DOD) | https://dod-graph.microsoft.us |
Microsoft Graph China operated by 21Vianet | https://microsoftgraph.chinacloudapi.cn |
Available national Azure AD endpoints
Azure AD (global service) | https://login.microsoftonline.com |
Azure AD for US Government | https://login.microsoftonline.us |
Azure AD China operated by 21Vianet | https://login.chinacloudapi.cn |
Section „Authorization Settings“
Static Access Rules | Since there are no permissions to view users in Microsoft Graph, no ACLs are set in Mindbreeze. This means that the Microsoft Graph Crawler should generally be used on a public index. However, if you want to restrict access to certain groups (e.g. only logged-in users, management, HR, etc.), you can do this with the help of this setting. The access rules defined here are set for all indexed users. The following setting options are available:
|
Section “Crawling Constraints”
Constraints | Constraints can be used to exclude messages via their metadata.
The following should be noted:
|
Additional User Information
If the advanced setting “Include Additional User Info” is enabled, these metadata will be added additionally.
mgru_manager | Name of the user’s manager |
mgru_managerId | Reference to the manager |
mgru_onPremisesExtensionAttributes | Item containing all the extension attributes (1-15) |
mgru_onPremisesExtensionAttributes_extensionAttribute<x> | Value of the extension attribute x (if set) |
List of requests
The following requests are executed by the Microsoft Graph Connector during the crawlrun.
Request | HTTP-Method | Description |
https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/token | POST | Fetching the Access Token. |
https://graph.microsoft.com/beta/users/delta | GET | Fetch all users during the first crawl run and afterwards, if the option "Enable Delta Crawl" is enabled, also fetch the users that have been changed since the last crawl run. |
https://graph.microsoft.com/beta/users/<userId> | GET | Fetch additional user info (e. g. information about the user’s manager). |
https://graph.microsoft.com/beta/users/<userId>/photo/$value | GET | Downloading the profile picture of a user. |