Dialogue Cloud

SharePoint Online Authentication via Azure AD App-Only

Azure AD App-Only is Microsoft's preferred model to grant access to SharePoint Online. This article describes the required steps to enable this authentication method for Anywhere365. It basically consists of three steps:

  1. Grant consent to the Azure AD Application

  2. Configure permissions for this Azure AD Application on one or more specific SharePoint Site Collections

  3. Set this Authentication Method for your UCCs

Grant consent to the Azure AD Application

To make it possible for our Azure AD Application to connect to one or more SharePoint Site Collections, it should be trusted by your organization. There is a different Azure AD Application in each of the three regions, please grant consent to the correct application depending on the region that your UCCs are currently hosted. If you have UCCs in multiple regions, please grant consent to each corresponding Azure AD Application.

  1. Navigate to the following hyperlink:

    1. EMEA: https://login.microsoftonline.com/common/adminconsent?client_id=18efff03-033a-4f27-beb6-ee7d4a6a4fab

    2. NORA: https://login.microsoftonline.com/common/adminconsent?client_id=ab03865a-8f0c-435e-bcee-55d98f72c391

    3. APAC: https://login.microsoftonline.com/common/adminconsent?client_id=108437ec-1388-43b4-b87c-2f0f7c40b1c9

  2. The Microsoft Office365 authentication form will show-up.


  3. Sign in with a Microsoft Office365 admin account

    1. Global Administrator; or

    2. Application Administrator; or

    3. Cloud Application Administrator.

  4. A window shows-up indicating the permissions that needs to be accepted

    1. As you can see, it will only be possible for this Azure AD Application to get access to selected site collections.

    2. How to configure these selected site collections, will be explained in the next section.

  5. Click the "Accept" button

  6. You will be redirected to the Anywhere365 corporate website (https://www.anywhere365.io/)

  7. In the Azure Portal, you can find an Enterprise Application along with the accepted permissions.

    1. Navigate to https://portal.azure.com/

    2. Sign in with a Microsoft Office365 admin account:

      1. Global Administrator; or

      2. Application Administrator; or

      3. Cloud Application Administrator.

    3. On the welcome page search for Enterprise Applications and open it

    4. Look for the Enterprise Application that matches the Application ID of the corresponding region

      1. EMEA: 18efff03-033a-4f27-beb6-ee7d4a6a4fab

      2. NORA: ab03865a-8f0c-435e-bcee-55d98f72c391

      3. APAC: 108437ec-1388-43b4-b87c-2f0f7c40b1c9

    5. Open the Application by clicking on the name.

    6. Open the Permissions by clicking 'Permissions' in the menu on the left.

    7. Here you will see that the application has the 'Office 365 SharePoint Online' permission with the Claim value 'Sites.Selected'.

 

Configure permissions to selected SharePoint Site Collections

Once consent is granted to the Azure AD Application for your Microsoft 365 tenant, the Azure AD Application still requires permissions to the SharePoint Site Collections that are used by Anywhere365.

It is important to grant full control permissions, in order for Anywhere365 to be able to do all required operations (e.g. retrieve settings, upload voicemails and/or recordings, etc.).

There are multiple ways to grant these permissions, in this example Microsoft Graph Explorer will be utilized:

  1. Navigate to Microsoft Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer)

  2. Click the button 'Sign in to Graph Explorer'

  3. Sign in with a Microsoft Office365 admin account

    1. Global Administrator; or

    2. Application Administrator; or

    3. Cloud Application Administrator.

  4. If this is the first time you sign in to Graph Explorer, accept the requested permissions.

  5. Once you are signed in successfully, the sign in button will be replaced by your user name.

  6. In the Query Builder, click 'Modify permissions (Preview)'

  7. Next change the value in the blue drop down menu from 'GET' to 'POST' (it will turn from blue to green).


  8. Now click 'Open the permissions panel'.

  9. Look-up and select the permissions 'Sites' > 'Sites.FullControl.All' and click 'Consent' in the bottom.

  10. If these permissions are not granted to Graph Explorer before, accept the requested permissions.

  11. The permissions panel will now indicate that the permission 'Sites' > 'Sites.FullControl.All' is now consented

  12. You can now close the permissions panel and start composing a query to retrieve details of the SharePoint Site Collection that is used by Anywhere365.

  13. Change the value 'POST' in the drop down menu back to 'GET' and change the value for the hyperlink from https://graph.microsoft.com/v1.0/me to https://graph.microsoft.com/v1.0/sites/<tenantname>.sharepoint.com:/<sites>/<sitecollectionname>

    Note: Notice the : (colon) between the host name and the relative path to the site collection.

  14. Now hit 'Run query' to request the details from this specific SharePoint Site Collection.

  15. From the response collect the SharePoint Site Collection id (the GUID GUID stands for Globally Unique Identifier and is a pseudo random number used in software applications that is assumed to be unique. The total number of unique keys (2<sup>128</sup> of 3.4028×10<sup>38</sup>) is very large and the probability of the creating the same GUID twice is very small, though not 100% guaranteed. of the middle section of the id; between the two commas).

  16. In the query builder replace the host name and relative path to the site collection with the SharePoint Site Collection id and hit 'Run query' once more. This should result in the same outcome of the previous query

  17. Next compose a new query to grant the Azure AD Application write permissions to this SharePoint Site Collection, by changing the value of the drop down menu from 'GET' to 'POST' and adding '/permissions' to the hyperlink.


  18. Click 'Request body'

  19. Supply below request body (matching the regional Azure AD Application that you want to grant access) in the field that opens.
    EMEA:

    Copy
    Request Body
    {
        "roles": [
            "write"
        ],
        "grantedToIdentities": [
            {
                "application": {
                    "id": "18efff03-033a-4f27-beb6-ee7d4a6a4fab",
                    "displayName": "Anywhere365 - EMEA"
                }
            }
        ]
    }

    NORA:

    Copy
    Request Body
    {
        "roles": [
            "write"
        ],
        "grantedToIdentities": [
            {
                "application": {
                    "id": "ab03865a-8f0c-435e-bcee-55d98f72c391",
                    "displayName": "Anywhere365 - NORA"
                }
            }
        ]
    }

    APAC:

    Copy
    Request Body
    {
        "roles": [
            "write"
        ],
        "grantedToIdentities": [
            {
                "application": {
                    "id": "108437ec-1388-43b4-b87c-2f0f7c40b1c9",
                    "displayName": "Anywhere365 - APAC"
                }
            }
        ]
    }
  20. Hit 'Run query'

  21. If the result indicates the permissions is created, the Azure AD Application now has write permissions to the selected SharePoint Site Collection.

  22. Finally, these write permissions should be upgraded to full control permissions. To do this, collect the permission id from the response of the latest query.

  23. Build the latest query by changing the value of the drop down menu from 'POST' to 'PATCH' and adding the permissions id to the end of the hyperlink.

    Note: Don't forget to include the / (forward slash) between permissions and the permissions id.

  24. Supply the request body as below and hit 'Run query'

  25. If the response indicates 'OK' and the Response Preview shows the role 'fullcontrol' the patch was successful and Anywhere365 should have permissions to this SharePoint Site Collection.

  26. Please take a screenshot from this result, which can be shared with your Customer Success Manager later.

  27. If Anywhere365 utilizes multiple SharePoint Site Collections, please go back to step 13 and follow all subsequent steps for each SharePoint Site Collection.

 

Change Authentication method for one or more UCCs

As soon as the Azure AD Application has full control access to the SharePoint Site Collections that are utilized by Anywhere365, please contact your Customer Success Manager to enable this authentication method.

In this request, clearly specify which UCCs should start using this new Azure AD Application authentication method and attach the screenshots taken, so it can be validated if everything looks good.