How to Deploy the Solution via App-Only Access for MS Graph [Office 365]

For users of the Email Sidebar on:

6 min read

 

Note

Privacy and security of any data access and handling associated with RG Email Sidebar deployment procedures are guaranteed by the applicable Revenue Grid policies.

Note

Refer to the following articles based on your company’s mail server setup:

• For an Office 365 mail server using Exchange Web Services (EWS): How to configure impersonation to deploy the solution [Office 365].

• For an MS Exchange On-Premises mail server: How to Configure Impersonation to Deploy the Solution [MS Exchange On-Premises].

• For a hybrid mail server deployment: Impersonation setup: hybrid scenarios.

The RG Email Sidebar can connect to MS Office 365 mail accounts using app-only access for MS Graph, a more up-to-date and versatile alternative to Exchange Web Services (EWS). See this article for detailed information on using app-only access.

Unlike impersonation deployment scenarios, this connection type does not require configuring an impersonation service account. For the MS Graph app-only access connection type, a special profile-wide mass deployment procedure is used.

Deployment process

The deployment process requires actions in both the RG Admin Panel and the Microsoft 365 Admin Center.

1. Create a new profile.
2. Grant permission consent via the mail server admin account.
3. Set the profile’s mailbox access type.
4. Provision new users or transfer existing ones to the profile.
5. Verify the connectivity.

Create a new profile

To create a new profile, follow these steps:

1. Log in to the RGES Admin Panel using your admin credentials.
2. Go to the Profiles tab.

3. In the upper-right corner, click Create Profile.

4. Enter the Name and External ID, then click Save.

Important

After you save the profile, the External ID value becomes read-only and cannot be changed.

A notification will confirm that the profile has been created successfully, and the profile details page will open.

---

Grant permissions consent by mail server admin account

The RG Email Sidebar app requires access consent permissions on the Microsoft 356 Admin Center side.

Microsoft Graph API Permissions Configuration

API Name	Permission	Type
Microsoft Graph	Read and write mail in all mailboxes	Application
Microsoft Graph	Read and write contacts in all mailboxes	Application
Microsoft Graph	Read all users’ full profiles	Application
Microsoft Graph	Read and write calendars in all mailboxes	Application
Microsoft Graph	Read and write all user mailbox settings	Application

To configure the required permissions, follow the steps described in the corresponding Microsoft article.

---

RGES app access limiting to specific user accounts (optional)

In many configurations RGES mailbox data access granted over app-only access must be limited to a specific group of entitled users. That is accomplished using Blacklist and Whitelist settings.

To configure an application access policy and limit the scope of application permissions, follow the steps below based on this Microsoft article:

1. Connect to Exchange Online PowerShell. For details, see Connect to Exchange Online PowerShell.

2. Identify the app’s client ID and a mail-enabled security group to restrict the app’s access to:

• Identify the app’s application (client) ID in the Azure app registration portal
• Create a new mail-enabled security group or use an existing one and identify the email address for the group

3. Create an application access policy.

Run the following command, replacing the arguments for AppId, PolicyScopeGroupId, and Description.

New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId [email protected] -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers." 

4. Test the newly created application access policy.

Run the following command, replacing the arguments for Identity and AppId.

Test-ApplicationAccessPolicy -Identity [email protected] -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b 

The output of this command will indicate whether the app has access to User1’s mailbox.

That the changes to app access policies can take up to 30 minutes to get applied in Microsoft Graph REST API calls.

---

Set the profile’s mailbox access type

After creating a new profile and granting access consent, follow these steps to set the mailbox access type:

1. Go back to the RG Admin Panel, navigate to the Profiles tab.

2. Open the profile you just created and go to the Connectivity subtab.

3. In the Email configuration widget, in the Mailbox access type menu, select Microsoft 365 OAuth (Graph API) - App-Only logon.

4. Click Connect account. This will open the Office 365 OAuth dialogue.

5. Enter the Microsoft 365 admin credentials in the dialogue. These credentials are used only to grant permissions for MS Graph app-only access.

6. In the Permission authorization dialog, click Accept to grant the necessary permissions.

Important

Our support team configures permissions individually for each Enterprise customer’s organization. If some permissions are not granted, the corresponding RG Email Sidebar features may be unavailable.

If the connection is successful, the mailbox connectivity status in the Email configuration widget will update to Connected.

---

Provision new users or transfer existing ones to the profile

Based on your scenario:

• If you are deploying the RG Email Sidebar for the first time, provision new users to the MS Graph app-only access profile.
• If the RG Email Sidebar was initially deployed with a different connection type, transfer existing users to the new MS Graph app-only access profile.

Provision users to the MS Graph app-only access profile

To provision users to the profile, follow these steps:

1. In the RG Admin Panel, go to the Profiles tab.

2. Open the profile configured with the MS Graph app-only access type, then go to the Details subtab.

3. In the Miscellaneous widget, specify the users’ email domains under Email domains assigned to this Profile.

4. In the Miscellaneous widget, copy the Provisioning URL and share it with end users.

5. Users should follow the link and complete the steps in the Registration Wizard.

If the users’ email domains match the domains specified in the Email domains assigned to this Profile field, they will be automatically assigned to the profile.

---

Transfer users to the MS Graph app-only access profile

To transfer existing users to the new MS Graph app-only access profile:

1. In the RG Admin Panel, go to the Profiles tab.

2. Open the initial profile and go to the Users subtab.

3. Select the users you want to move using the checkbox on the left side of the list.

4. In the upper-right corner, click the More actions menu () and s select Change Profile.

5. In the dialog, choose the new profile and click Apply.

A confirmation dialog will appear, showing the results and details for each user.

---

Verify the Connectivity

After provisioning or transferring users to the profile with MS Graph app-only mailbox access, follow these steps to check user access:

1. In the RG Admin Panel, go to the Profiles tab.

2. Locate the profile with the MS Graph mailbox access type and open the Connectivity subtab.

3. In the Email configuration widget, click Check users’ impersonated access.

All user accounts assigned to the MS Graph app-only access profile are now automatically reconfigured to use app-only access. You will see a list showing the connection status for each user.