To enable data collection, we invite you to fulfill the prerequisites below.
The solution uses Microsoft APIs to collect permissions and access to Exchange, OneDrive, SharePoint, and Teams.
Granting the permissions to the IDECSI – Platform – Picture app
Please send us your TenantID, your SharePoint root site URL ([yourdomain].sharepoint.com), and let us know when you have granted the app IDECSI – Platform – Picture below by clicking the following links and logging in as administrator of the tenant:
https://login.microsoftonline.com/common/adminconsent?client_id=4a50902b-fc9b-4722-8b97-4d027e82dc5f
Application permissions details for the granted app
| API | Permission | IDECSI Usage | More? |
| Office 365 Management API | ActivityFeed.Read | Collect audit logs to display access events in MyDataSecurity. Detect changes in rights and permissions to be able to recollect the resources, and also alert if needed. | Office 365 Management Activity API reference | Microsoft Learn |
| Graph API | ChannelSettings.Read.All | Map Teams channels (private and shared) to be displayed in MyDataSecurity. | List channels – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | AuditLog.Read.All | Collect unified audit logs and Entra audit logs to enrich all Idecsi’ Resource’s information. | |
| Graph API | ChannelMember.Read.All | Identify channel members and members for MyDataSecurity. | |
| Graph API | Directory.Read.All | Identify users, groups, and applications to display this information in MyDataSecurity. | Required for AD information (users, groups, licenses, applications, administrators) |
| Graph API | Files.Read.All | Allows reading file metadata, version history, and sharing properties to display this information in MyDataSecurity. | |
| Graph API | InformationProtectionPolicy.Read.All | Retrieve sensitivity label configurations (Purview). | List sensitivityLabels – Microsoft Graph beta | Microsoft Learn |
| Graph API | MailboxSettings.Read | Adapt language and settings for the IDECSI interface and identify the mailbox associated with a user. | Get user mailbox settings – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | Policy.Read.All | Read tenant configurations and alert in case of changes. | Required to read configurations |
| Graph API | Reports.Read.All | Collect various reports to enrich information in MyDataSecurity and MyDataManagement. | reportRoot: getOneDriveUsageStorage – Microsoft Graph v1.0 | Microsoft Learn reportRoot: getOneDriveUsageFileCounts – Microsoft Graph v1.0 | Microsoft Learn reportRoot: getSharePointSiteUsageStorage – Microsoft Graph v1.0 | Microsoft Learn reportRoot: getSharePointSiteUsageFileCounts – Microsoft Graph v1.0 | Microsoft Learn |
| SharePoint | Sites.FullControl.All | Collect (classic site administrators) and correct permissions (Everyone site admin, EEEU site admin, Everyone, EEEU) on SharePoint sites, and retrieve the sharing link creator and creation date. | SharePoint admin APIs authentication and authorization | Microsoft Learn |
| Graph API | Sites.Read.All | Map sites, libraries, permissions, and metadata used to populate user profiles in MDS/MDM. | List sites – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | TeamSettings.Read.All | Map Teams teams and their settings to populate user profiles in MDS. | Get team – Microsoft Graph v1.0 | Microsoft Learn |
| Office 365 Exchange Online API | Exchange.ManageAsApp | Permission that grants no rights to the application itself. The associated service principal will receive collection and remediation rights (via PowerShell) depending on the assignment. | Authenticate an EWS application by using OAuth Application Access Policy Support Added to Exchange Web Services in Exchange Online Role-Based Access Control for Applications in Exchange Online |
More information on permissions: Overview of Microsoft Graph permissions – Microsoft Graph | Microsoft Learn
Providing rights on Exchange
The “Manage Exchange as Application” right allows connecting as an application but does not grant any specific permissions. That is why we need to add a “Service Principal” that will enable its use. To limit rights, we will create an I2A Role Group, where we will place the “Service Principal”.
⚠️ Please note:
- Install or update PowerShell to version 7 (
winget install --id Microsoft.Powershell --source winget) - Launch PowerShell 7 as the local administrator of the machine (or with an account that has the required rights)
- Install the Microsoft.Graph module (
Install-Module Microsoft.Graph) - Install the ExchangeOnlineManagement module version 3.6 (
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.6.0).
# Import ExchangeOnline module and Graph module
Import-Module ExchangeOnlineManagement;Get-Module ExchangeOnlineManagement
Import-Module Microsoft.Graph;Get-Module Microsoft.Graph
# Load and connect to Microsoft Graph with administrator rights.
Connect-MgGraph -Scopes AppRoleAssignment.ReadWrite.All,Application.Read.All
# Retrieve the Service Principal corresponding to the "IDECSI - Platform" application.
$AzureADApp = Get-MgServicePrincipal -Filter "DisplayName eq 'IDECSI - Platform - Picture'"
# Exchange Online Connexion
# This prompts for user credentials. Please use an Exchange Admin account to connect.
Connect-ExchangeOnline
# Create an Exchange Service Principal linked to the Azure AD App
New-ServicePrincipal -AppId $AzureADApp.AppId -ObjectId $AzureADApp.Id -DisplayName "SP for Azure AD App IDECSI - Platform - Picture"
# Retrieve the new Service Principal object
$SP = Get-ServicePrincipal -Identity "SP for Azure AD App IDECSI - Platform - Picture"
Write-Host ($SP | Format-Table | Out-String)
# Define variables
# These variables store:
# * The name of the role group
$roleGroupName = "I2A"
# * The names of custom management roles to be created.
$roleName = "Mail Recipients - ViewOnly - I2A"
# Create Role: "Mail Recipients - ViewOnly - I2A"
# Creates a new management role based on the "Mail Recipients" parent role.
New-ManagementRole $roleName -Parent "Mail Recipients"
Get-ManagementRoleEntry ($roleName + "\*")
$data2 = Get-ManagementRoleEntry ($roleName + "\*")
# This loop removes all cmdlets except those starting with "Get", effectively making the role read-only.
foreach($data in $data2)
{
$name = ""
$name = $data.Name
if($name -NotLike "Get*")
{
Remove-ManagementRoleEntry $roleName\$name -confirm:$false
Write-Host ("Done for $name")
}
}
Get-ManagementRoleEntry ($roleName + "\*")
# Assign Roles to Role Group and Add Service Principal
# Creates a new role group named "I2A", includes:
# * Standard built-in roles (like audit and read-only)
# * The custom role we created
# * Assigns everything to the Service Principal
New-RoleGroup -Name $roleGroupName -Roles "Audit Logs","View-Only Configuration","View-Only Recipients",$roleName -Members $SP.Identity
# Disconnect
# Ends the Exchange Online and Graph session properly.
Disconnect-ExchangeOnline
Disconnect-GraphOnce the application is granted and the script ran successfully, please let your Customer Success Manager know it.