Mindbreeze GmbH, A-4020 Linz, 2023.
All rights reserved. All hardware and software names used are brand names and/or trademarks of their respective manufacturers.
These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.
For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.
Using the Microsoft Azure Principal Resolution Service, groups in Microsoft Azure can be resolved. These groups are used by many Microsoft services, such as SharePoint Online, Teams, or Stream. If you have set up a connector for any of these data sources, you should also use the Microsoft Azure Principal Resolution Service.
In order for the Principal Resolution Service to resolve Microsoft Azure groups, a new app must first be created that has the permissions to read Microsoft Azure groups. This app can be created at portal.azure.com.
Navigate to Azure Active Directory -> App registrations and click the "New Registration" button to register a new app:
After you have created the app, you still need to create a Secret so that the Principal Resolution Service can actually log in:
When creating the client secret, an expiry time can be selected. We recommend 6-12 months so that the secret is changed regularly.
After that you can copy the secret. When you leave the page, you will not be able to view the secret anymore, so make sure that you enter the secret directly into the Mindbreeze configuration (see next section).
Now you need to give the app the permissions it needs. Navigate to "App permissions" to do this. The Microsoft Azure Principal Resolution Service requires the following Application Permissions in Microsoft Graph:
After granting the app permission, you still need to give "admin consent". To do this, use the "Grant admin consent for <MyInstance>" button:
Go to the "Indices" tab, scroll down and add a new service in the "Services" section by clicking "Add Service". Select "Microsoft Azure Principal Resolution Service" and assign a display name.
Graph Service Root (Advanced Settings)
The endpoint/URL of the Microsoft Graph API. By default, "https://graph.microsoft.com". Change this setting only if you are using a national (non-international) Microsoft Cloud. A list of all available national Microsoft Graph endpoints can be found below.
Azure AD Url (Advanced Settings)
The endpoint/URL to the Azure Active Directory. By default, "https://login.microsoftonline.com". Change this setting only if you are using a national (non-international) Microsoft Cloud. A list of all available national Azure AD endpoints can be found below.
Trust all SSL certificates (Advanced Settings)
Allows the use of non-secured connections, for example for test systems. Must not be enabled in production.
The tenant ID of your Microsoft 365 instance. You can find this on the overview page of the created app in Azure.
The application (client) ID of the app created in Azure.
The credential created in the Network tab, which contains the created client secret.
Crawler Thread Count
Number of threads used for processing the groups.
Resolve only Teams
If this option is enabled, only groups that have an associated team in Microsoft Teams will be resolved. If this Principal Resolution Service is to be used only for Microsoft Teams, enable this setting for optimal performance.
Regular Expression that can be used to specify which groups are to be resolved. If this option is left empty, all groups will be resolved. The regex matches the group name.
Excluded Group Names (regex)
Regular expression that can be used to specify which groups should be excluded. The regex matches the group name.
Log All Requests
If this option is enabled, all requests against the Graph API are written to a log file. Should be enabled for troubleshooting only.
Enable Delta Update
As long as this option is enabled, the Principal Service will only fetch all groups from Microsoft Teams during the first update, after which it will only fetch the changes to the groups, which significantly improves performance.
Disable this option only if there is an inconsistency between the Principal Service and the actual groups in Microsoft Teams.
[Deprecated] Exclusively Use Beta API
This option is deprecated and should not be enabled.
If this option is enabled, the Principal Resolution Service uses the /beta API. Otherwise, the /v1.0 API is used.
If you disable this option, make sure that the permissions of the app are correct (see following section), because the /beta API sometimes allows API queries despite insufficient permissions.
If you enable/disable this option, the "Enable Delta Update" option must be disabled for at least one cache update.
Microsoft Graph global service
Microsoft Graph for US Government L4
Microsoft Graph for US Government L5 (DOD)
Microsoft Graph China operated by 21Vianet
Azure AD (global service)
Azure AD for US Government
Azure AD China operated by 21Vianet
These config options are described in the documentation for the Caching Principal Resolution Service here.