Register Custom Azure App

To get started, you'll register a custom Azure app below to add the necessary permissions.

Go to the Azure portal, register a new app, add the permissions, and capture the App ID and Access Key. For more on registering and configuring Azure apps, see Register an application with the Microsoft identity platform and Configure a client application to access a web API in the Microsoft documentation.

Make sure that you make note of the App ID and Access Key while registering the app. You'll need them to register your Microsoft 365 domain as a source in Cohesity DataProtect as a Service.

To register your custom app for Cohesity DataProtect as a Service:

  1. Open Microsoft Entra ID

    1. To manage Microsoft Entra ID using the Azure Portal:

      1. Log in to the Azure portal with your Microsoft 365 administrator user credentials.

      2. Click the main menu (≡) in the top left corner and select Microsoft Entra ID.

    2. To manage Microsoft Entra ID using Microsoft 365:

      1. Log in to Microsoft 365.

      2. On the Microsoft 365 page, click Admin.

      3. On the Microsoft 365 admin center page, select Admin centers and then click Microsoft Entra.

  2. Create a new custom app.

    1. Under the Manage section, select App Registrations, then click New Registration. In the Register an application page:

      1. Enter a Name for your app.

      2. Select the Supported account types that can access the app,

      3. In the Redirect URI drop-down, select Web and enter https://localhost.

      4. Click Register.

  3. After the custom app has been created, click Overview and copy the Application (client) ID. You need to use Application (client) ID to register Microsoft 365 as a source in Cohesity DataProtect as a Service.

  4. Add API permissions to the custom app:

    1. Add Oauth API permission if the Microsoft 365 source tenant has OAuth enabled for secure communication:

      1. Under the Manage section, select App Registrations and click Add a permission.

      2. In the Request API permissions page, click the APIs my organization uses tab.

        1. In the search bar, enter Office 365 Exchange Online then click the API. (Use the complete app name.)

        2. In the Office 365 Exchange Online API, click Application Permissions.

        3. Under Other Permissions, select full_access_as_app to enable OAuth and click Add Permissions.

          App Permissions Permission Type Mailboxes
          full_access_as_app Application Y

    2. Add Graph API permissions:

      1. Under the Manage section, select App Registrations, and then click Add a permission.

      2. In the Request API permissions page, select Microsoft Graph API.

      3. Click Application Permissions and add the permissions listed below for your Microsoft 365 application.

        App Permissions Permission Type Mailboxes OneDrive SharePoint Online Sites MS Teams
        Channel.Create Application N/A N/A N/A
        Channel.ReadBasic.All Application N/A N/A N/A
        ChannelMember.ReadWrite.All Application N/A N/A N/A
        Directory.ReadWrite.All Application
        Files.ReadWrite.All Application N/A
        Group.Create Application N/A N/A N/A
        Group.ReadWrite.All Application N/A
        Reports.Read.All Application
        Sites.ReadWrite.All Application
        Sites.FullControl.All Application N/A N/A
        User.Read.All Application
        User.ReadWrite.All Application N/A
        ChannelMessage.Read.All Application N/A N/A N/A
        Chat.Read.All Application N/A N/A N/A
        Mail.ReadWrite Application N/A N/A N/A
        MailboxSettings.Read Application N/A N/A N/A
      4. Click Add permissions.

    3. Add SharePoint permissions to the custom app:

      1. Under the Manage section, select App Registrations and click Add a permission.

      2. In the Request API permissions page, select SharePoint. (If you don't see it, scroll further down.)

        1. Click Delegated Permissions and add the permissions listed below, then click Add permissions.

        2. Click Application Permissions and add the permissions listed below, then click Add permissions.

          Permission Type Permissions Name
          Delegated AllSites.FullControl
          AllSites.Manage
          AllSites.Read
          MyFiles.Read
          MyFiles.Write
          Sites.Search.All
          TermStore.ReadWrite.All
          User.ReadWrite.All
          Application Sites.FullControl.All
          Sites.Manage.All
          Sites.ReadWrite.All
          TermStore.ReadWrite.All
          User.ReadWrite.All
  5. Grant admin consent for the API permissions.

    1. Under Configured permissions, click Grant admin consent.

    2. On the Grant admin consent confirmation, click Yes.

  6. Create a new client secret that will be used to register Microsoft 365 as a source in Cohesity DataProtect as a Service.

    1. Under the Manage section, select Certificates & secrets.

      1. In the Client secrets section, click New client secret. Enter a Description.

      2. In the Expires drop-down, select how long the secret key will be valid.

      3. Click Add.

    2. Under Client secrets, click the Copy button next to the string under VALUE. You need the Value key of the client secret to register Microsoft 365 as a source in Cohesity DataProtect as a Service.

    3. Store the Value key in a secure location. After you exit this page, you will not be able to see the Value key again. If you lose your value key, you will need to create a new client secret.

When you finish, your custom Azure app should include the permissions as shown below.