Installation and Configuration
Microsoft Azure Principal Resolution Service
Copyright ©
Mindbreeze GmbH, A-4020 Linz, 2023.
All rights reserved. All hardware and software names used are brand names and/or trademarks of their respective manufacturers.
These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.
For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.
Introduction
Using the Microsoft Azure Principal Resolution Service, groups in Microsoft Azure can be resolved. These groups are used by many Microsoft services, such as SharePoint Online, Teams, or Stream. If you have set up a connector for any of these data sources, you should also use the Microsoft Azure Principal Resolution Service.
Configuring the Microsoft Azure Principal Resolution Service
Creating the Application in Azure
In order for the Principal Resolution Service to resolve Microsoft Azure groups, a new app must first be created that has the permissions to read Microsoft Azure groups. This app can be created at portal.azure.com.
Navigate to Azure Active Directory -> App registrations and click the "New Registration" button to register a new app:
After you have created the app, you still need to create a Secret so that the Principal Resolution Service can actually log in:
When creating the client secret, an expiry time can be selected. We recommend 6-12 months so that the secret is changed regularly.
After that you can copy the secret. When you leave the page, you will not be able to view the secret anymore, so make sure that you enter the secret directly into the Mindbreeze configuration (see next section).
Now you need to give the app the permissions it needs. Navigate to "App permissions" to do this. The Microsoft Azure Principal Resolution Service requires the following Application Permissions in Microsoft Graph:
- Group.Read.All
- User.Read.All
After granting the app permission, you still need to give "admin consent". To do this, use the "Grant admin consent for <MyInstance>" button:
Configuring the Principal Resolution Service
Go to the "Indices" tab, scroll down and add a new service in the "Services" section by clicking "Add Service". Select "Microsoft Azure Principal Resolution Service" and assign a display name.
Area „Connection Settings“
Graph Service Root (Advanced Settings) | The endpoint/URL of the Microsoft Graph API. By default, "https://graph.microsoft.com". Change this setting only if you are using a national (non-international) Microsoft Cloud. A list of all available national Microsoft Graph endpoints can be found below. |
Azure AD Url (Advanced Settings) | The endpoint/URL to the Azure Active Directory. By default, "https://login.microsoftonline.com". Change this setting only if you are using a national (non-international) Microsoft Cloud. A list of all available national Azure AD endpoints can be found below. |
Trust all SSL certificates (Advanced Settings) | Allows the use of non-secured connections, for example for test systems. Must not be enabled in production. |
Tenant ID | The tenant ID of your Microsoft 365 instance. You can find this on the overview page of the created app in Azure. |
App ID | The application (client) ID of the app created in Azure. |
Client Secret | The credential created in the Network tab, which contains the created client secret. |
Crawler Thread Count | Number of threads used for processing the groups. |
Resolve only Teams | If this option is enabled, only groups that have an associated team in Microsoft Teams will be resolved. If this Principal Resolution Service is to be used only for Microsoft Teams, enable this setting for optimal performance. |
Regular Expression that can be used to specify which groups are to be resolved. If this option is left empty, all groups will be resolved. The regex matches the group name. | |
Excluded Group Names (regex) | Regular expression that can be used to specify which groups should be excluded. The regex matches the group name. |
Log All Requests | If this option is enabled, all requests against the Graph API are written to a log file. Should be enabled for troubleshooting only. |
Enable Delta Update | As long as this option is enabled, the Principal Service will only fetch all groups from Microsoft Teams during the first update, after which it will only fetch the changes to the groups, which significantly improves performance. Disable this option only if there is an inconsistency between the Principal Service and the actual groups in Microsoft Teams. |
[Deprecated] Exclusively Use Beta API | This option is deprecated and should not be enabled. If this option is enabled, the Principal Resolution Service uses the /beta API. Otherwise, the /v1.0 API is used. If you disable this option, make sure that the permissions of the app are correct (see following section), because the /beta API sometimes allows API queries despite insufficient permissions. If you enable/disable this option, the "Enable Delta Update" option must be disabled for at least one cache update. |
Available national Microsoft Graph endpoints
Microsoft Graph global service | https://graph.microsoft.com |
Microsoft Graph for US Government L4 | https://graph.microsoft.us |
Microsoft Graph for US Government L5 (DOD) | https://dod-graph.microsoft.us |
Microsoft Graph China operated by 21Vianet | https://microsoftgraph.chinacloudapi.cn |
Available national Azure AD endpoints
Azure AD (global service) | https://login.microsoftonline.com |
Azure AD for US Government | https://login.microsoftonline.us |
Azure AD China operated by 21Vianet | https://login.chinacloudapi.cn |
Cache, Health Check, Service & Consumer Services Settings
These config options are described in the documentation for the Caching Principal Resolution Service here.