Installation and Configuration
Microsoft Graph Connector

Introduction

With the help of the Microsoft Graph Connector, all users of a Microsoft Graph instance can be indexed and used in Mindbreeze InSpire. Microsoft Entra ID users are indexed, including the following points:

Profile metadata
Manager names and references to the manager (e.g. organizational chart)
Microsoft Graph profile pictures as thumbnails in Mindbreeze InSpire
„Extension Attributes“ of the users

Hint: Microsoft Entra ID (ME-ID) is the new name for Microsoft Azure Active Directory (Azure AD). You can manage your Microsoft Graph instance here: Microsoft Entra - Microsoft Entra admin center.

For more information about what Microsoft Entra ID is and what changes to note with the name change, see What is Microsoft Entra ID? - Microsoft Entra | Microsoft Learn and New name for Azure Active Directory - Microsoft Entra | Microsoft Learn.

Prerequisites

To enable the crawling of Microsoft Graph, a new or existing Microsoft Graph application is required that has permissions to read Microsoft Graph.

The Microsoft Graph application must meet the following requirements:

Available Client Secret
- An expiration of 6 to 12 months is recommended so that the client secret is changed regularly.
- Attention: When creating the client secret, please note that the secret in the column “Value” is mandatory for creating the credentials in Mindbreeze InSpire. Make a note of this value immediately after creating the client secret, as the value will no longer be displayed in full when you leave the section.
Granted access rights
- User.Read.All

The creation of a new application is carried out in Microsoft Entra - Microsoft Entra admin center. For more information, see the following links:

Registration of a new application: How to register an app in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn
Creation of a Client Secret: Add and manage app credentials in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn
Granting of access rights: Web API app registration and API permissions - Microsoft identity platform | Microsoft Learn

Configuration

This chapter explains the basic configuration of the Microsoft Graph Connector in a Quickstart Guide. If you need additional information for your use case, you will find a list of all settings and national endpoints in the following chapters.

Quickstart Guide

Step 1: Creation of the index

Add a new index in the tab “Indices” using the button “+Add Index”. Select the desired “Index Node” and “Client Service” and select the option “Microsoft Graph” in “Data Source”. Then confirm your entries with “Apply”.

Give the newly created index a name in “Display Name,” like “Microsoft Graph Connector.”

Save the created index with “Save”.

Step 2: Creation of the credential

Next, you need a suitable credential. If you have already configured a credential with the appropriate “Type” and “Password,” you can use this credential. If this is not the case, you must create a new credential in the “Network” tab with the following settings:

Setting	Entry
Name	Example: Microsoft Graph App Credential Client Secret
Type	Password
Password	The client secret of your Microsoft Graph instance is required as the password. Example: 1234abcd-5678-ef90-1a2b-3c4d5e6f7a8b

Save the credential you have created by clicking “Save.”

Step 3: Configuration of the data source

Go back to the index you created in the “Indices” tab and configure the data source in the section “Data Sources” with the following settings:

Setting	Description	Example
Tenant ID	The Tenant ID of the Microsoft Graph application. Hint: You can find the “Tenant ID” in the “Overview” screen of your application in the section “Essentials” as “Directory (tenant) ID”.	Example: 5678efgh-9012-ij34-5a6b-5c6d7e8f9a0b
App ID	The App ID of the Microsoft Graph application. Hint: You can find the “App ID” in the ‘Overview’ screen of your application in the section “Essentials” as “Application (client) ID”.	Example: 3434cdcd-7878-gh09-1a2b-3c4d3e4f3a4b
Client Secret	The credential created in the “Network” tab, which contains the client secret that was created.	Example: Microsoft Graph App Credential Client Secret

Save the configuration with “Save.” The Microsoft Graph Connector is now fully configured.

Available settings

Section “Connection Settings”

In the section "Connection Settings" you can define your Microsoft Graph instance to be indexed.

Setting

Description

Default setting/Example

Graph Service Root

(Advanced Settings)

The endpoint or URL of the Microsoft Graph API.

Only change this setting if you want to use a national Microsoft cloud, such as the cloud for the US government.

A list of all available national Microsoft Graph endpoints can be found in the chapter Microsoft Graph.

Default setting:

https://graph.microsoft.com

AD Url

(Advanced Settings)

The endpoint or URL for the Microsoft Entra ID cloud.

Only change this setting if you want to use a national Microsoft cloud, such as the cloud for the US government.

A list of all available national Microsoft Entra ID endpoints can be found in the chapter Microsoft Entra ID.

Default setting:

https://login.microsoftonline.com

Trust all SSL certificates

(Advanced Settings)

Allows the use of unsecured connections, for example, for test systems.

Attention: Do not enable this setting in the production environment.

Default setting:

Deactivated

Tenant ID*

The Tenant ID of the Microsoft Graph application.

Hint: You can find the “Tenant ID” in the ‘Overview’ screen of your application in the section “Essentials” as “Directory (tenant) ID.”

Example:

5678efgh-9012-ij34-5a6b-5c6d7e8f9a0b

App ID*

The App ID in the Microsoft Graph application.

Hint: You can find the “App ID” in the ‘Overview’ screen of your application in the section “Essentials” as “Application (client) ID.”

Example:

3434cdcd-7878-gh09-1a2b-3c4d3e4f3a4b

Client Secret*

The Credential created in the “Network” tab, which contains the created Client Secret.

Example:

Microsoft Graph App Credential Client Secret

Crawler Thread Count

Number of threads used for indexing.

Default setting:

Max Retries

The maximum number of retries attempted when the server sends certain throttling responses (e.g. HTTP 429).

Default setting:

Network Timeout (Seconds)

Time in seconds that the connector waits for a response from Microsoft Graph.

Default setting:

Log All Requests

(Advanced Settings)

If this setting is enabled, all requests to the Graph API are written to a log file.

Should only be enabled for troubleshooting purposes.

Default setting:

Deactivated

Get Metadata From Profile

(Advanced Settings)

If this setting is enabled, additional Metadata is fetched from the profile endpoint. This information includes, skills, languages, projects etc.

Default setting:

Activated

Include Additional User Info

(Advanced Settings)

If this setting is enabled, the following additional metadata is retrieved for each user:

Metadata	Description
mgru_manager	Name of the user's manager.
mgru_managerId	Reference to the manager.
mgru_onPremises ExtensionAttributes	Item containing all extension attributes (1-15) (if set).
mgru_onPremises ExtensionAttributes _extensionAttribute<x>	The value of the extension attribute x (if set).

Default setting:

Activated

Enable Delta Crawl

(Advanced Settings)

If this setting is enabled, the crawler only retrieves all users from Microsoft Graph during the first update. After that, only changes to the user are retrieved. This setting can improve performance.

Only deactivate this option, if there is an inconsistency between the index and the actual users in Microsoft Graph.

Default setting:

Activated

Use Profile Picture as Thumbnail

(Advanced Settings)

If this option is enabled, the user's profile picture in Microsoft Graph will be used as a thumbnail in Mindbreeze InSpire.

Default setting:

Activated

* = These settings must be configured for the Connector to function and be established. All other settings must be configured according to the specific application.

Section “Crawling Constraints” (Advanced Settings)

Setting

Description

Constraints

Constraints can be used to exclude messages based on their metadata.

Setting	Description
Metadata Key	The name of the metadata with which the patterns are compared. This refers to the name of the metadata in the index.
Include Pattern (regex)	Regex pattern used to compare the value of the metadata. If the pattern matches, the document is included.
Exclude Pattern (regex)	Regex pattern used to compare the value of the metadata. If the pattern matches, the document is excluded.

Please note the following:

A constraint is only checked if the object has set the corresponding metadata. Otherwise, the constraint is ignored.
Exclusion is treated more strongly than inclusion. If an object is excluded by at least one exclude pattern, it will not be indexed, regardless of whether it matches other include patterns.
If an include pattern is configured for a metadata, every object that has the metadata must match the pattern in order to be indexed.
If only exclude patterns have been set for the metadata, the object is indexed as long as it does not match any exclude patterns.

Section “Authorization Settings” (Advanced Settings)

Setting

Description

Static Access Rules

Microsoft Graph documents cannot be used in Mindbreeze InSpire by default because Microsoft Graph does not provide ACL information. To use Microsoft Graph documents in Mindbreeze InSpire nonetheless, static ACLs can be set in this setting.

In addition, access to certain users and groups can also be defined using static ACLs.

The following settings are available:

Setting	Description
Access Check Principal	The principal name to which the access rule should apply (e.g., everyone, user@myorganization.com, Management).
Access Check Action	Here you can choose whether to grant (“Grant”) or deny (“Deny”) access to the defined principal.

Available national endpoints

Microsoft Graph

National Cloud	Microsoft Graph
Microsoft Graph global service	https://graph.microsoft.com
Microsoft Graph for US Government L4 (GCC High)	https://graph.microsoft.us
Microsoft Graph for US Government L5 (DOD)	https://dod-graph.microsoft.us
Microsoft Graph China operated by 21Vianet	https://microsoftgraph.chinacloudapi.cn

For more information, see https://learn.microsoft.com/en-gb/graph/deployments#microsoft-graph-and-graph-explorer-service-root-endpoints.

Microsoft Entra ID

National Cloud	Microsoft Entra authentication endpoint
Microsoft Entra ID (global service)	https://login.microsoftonline.com
Microsoft Entra ID for US Government	https://login.microsoftonline.us
Microsoft Entra China operated by 21Vianet	https://login.partner.microsoftonline.cn

For more information, see https://learn.microsoft.com/en-gb/entra/identity-platform/authentication-national-cloud#microsoft-entra-authentication-endpoints.

List of requests

The following requests are executed by the Microsoft Graph Connector during the crawl run.

Request	HTTP-Method	Description
https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/token	POST	Fetching the Access Token.
https://graph.microsoft.com/beta/users/delta	GET	Fetch all users during the first crawl run and afterwards, if the setting "Enable Delta Crawl" is enabled, also fetch the users that have been changed since the last crawl run.
https://graph.microsoft.com/beta/users/<userId>	GET	Fetch additional user info (e. g. information about the user’s manager).
https://graph.microsoft.com/beta/users/<userId>/photo/$value	GET	Downloading the profile picture of a user.

Installation and Configuration
Microsoft Graph Connector

Introduction

Prerequisites

Configuration