Ask the Community
Groups
Graphus for Office 365 Activation Guide - Connect IT Community | Kaseya
<main> <article class="userContent"> <h3 data-id="1-graphus-application-activation">1. Graphus Application Activation</h3> <p><em>Note: The activation process has to be carried out by the global administrator of Azure AD for your organization.</em></p> <p><strong>Steps</strong></p> <ol><li>Login to Office 365 portal and select <strong>Admin</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/FIXWGJOFA6C2/graphus-app-activ1-png.png" alt="graphus_app_activ1.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>Under <strong>Admin centers</strong>, click <strong>Azure Active Directory</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/ZRCGOOT9WGTJ/graphus-app-activ2-png.png" alt="graphus_app_activ2.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>In the <strong>Azure Active Directory admin center</strong>, click <strong>Azure Active Directory</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/F43H6L4QJOOE/graphus-app-activ3-png.png" alt="graphus_app_activ3.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>Under the <strong>Manage</strong> section, click <strong>App registrations</strong> and then choose <strong>New registration</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/8QBFLB88MFNW/graphus-app-activ4-png.png" alt="graphus_app_activ4.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>In the <strong>Register an application</strong> page, enter the name as <em>Graphus</em> and select Supported account types as <strong>Accounts in this organizational directory only</strong>. In the Redirect URI section, select <strong>Web</strong> and enter <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Feucloud.graph.us%2Flogin">https://eucloud.graph.us/login</a></em> as the URL. Then, click <strong>Register</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/Y90VA5FC6D1I/graphus-app-activ5-png.png" alt="graphus_app_activ5.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>Copy and save the Application (client) ID. It will be used in a step later.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/OAB56LHR2WVT/graphus-app-activ6-png.png" alt="graphus_app_activ6.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>In the Manage section, select <strong>Certificates & secrets</strong>. Upload the certificate file generated from Graphus MSP portal.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/HNWYRT41ODVL/graphus-app-activ7-png.png" alt="graphus_app_activ7.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>The uploaded certificate file should look like the one depicted below in the Certificates section.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/0UN61CW0ROLV/graphus-app-activ8-png.png" alt="graphus_app_activ8.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>In the Graphus – Certificates & secrets page, click <strong>New client secret</strong>, enter <em>Graphus</em> in the Description field, select <strong>24 months</strong> from the Expires dropdown menu, and click <strong>Add</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/JJ863E4GWOON/graphus-app-activ9-png.png" alt="graphus_app_activ9.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li> This will automatically generate a value which will be displayed under the <strong>Value</strong> field corresponding to the client secret created in the above step.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/6SA2FALJFM4Q/graphus-app-activ10-png.png" alt="graphus_app_activ10.PNG" class="embedImage-img importedEmbed-img"></img><br>Copy the value immediately after the creation. Update Application (client) ID (refer step 6) and this client secret value in Graphus MSP portal activation page. Click <strong>Activate organization</strong> on Graphus MSP portal.<br><p><em>Note: This value will no longer be accessible after you leave this blade.</em></p> Graphus requires permissions from the APIs provided by Microsoft. To learn more about these permissions, refer to <a rel="nofollow" href="#h_01F8SDRNHEM4EJVSKK93HXKXZ0">Required Permissions</a> of this guide. </li> <li>In the Manage section, select <strong>API permissions</strong>, click <strong>Add a permission</strong>, then select <strong>Microsoft Graph</strong> from the APIs.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/69IR25QIXNNL/graphus-app-activ11-png.png" alt="graphus_app_activ11.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li> For <strong>Microsoft Graph </strong>API, choose <strong>Application Permissions</strong>, then select the below 10 permissions and click <strong>Add permissions</strong>. <p>Contacts</p> <ul><li> <strong>Read</strong> (Read contacts in all mailboxes) </li> </ul><p> Directory</p> <ul><li> <strong>Read.All</strong> (Read directory data) </li> </ul><p> Group</p> <ul><li> <strong>Read.All</strong> (Read all groups) </li> </ul><p> MailboxSettings</p> <ul><li> <strong>Read</strong> (Read all user mailbox settings) </li> </ul><p> Mail</p> <ul><li> <strong>Read</strong> (Read mail in all mailboxes) </li> <li> <strong>ReadWrite</strong> (Read and write mail in all mailboxes) </li> </ul><p> Member</p> <ul><li> <strong>Read.Hidden</strong> (Read all hidden memberships) </li> </ul><p> People</p> <ul><li> <strong>Read.All</strong> (Read all users' relevant people lists) </li> </ul><p> User</p> <ul><li> <strong>Export.All</strong> (Export user's data) </li> <li> <strong>Read.All</strong> (Read all users' full profiles)<br><em>Note: None of the DELEGATED PERMISSIONS are required.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/R5HRVWQJ28OA/graphus-app-activ12-png.png" alt="graphus_app_activ12.PNG" class="embedImage-img importedEmbed-img"></img><br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/SP6O4M0P7EHR/graphus-app-activ12a-png.png" alt="graphus_app_activ12a.PNG" class="embedImage-img importedEmbed-img"></img><br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/GNYHWXRXGPQU/graphus-app-activ12b-png.png" alt="graphus_app_activ12b.PNG" class="embedImage-img importedEmbed-img"></img><br></em> </li> </ul></li> <li>Click <strong>Add a permission</strong>, select tab <strong>APIs my organization uses</strong>, search for <em>Office 365 Exchange Online</em><strong>, </strong>and select <strong>Office 365 Exchange Online</strong> API from the results.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/HYUR4SYBMXED/graphus-app-activ13-png.png" alt="graphus_app_activ13.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>For <strong>Office 365 Exchange Online</strong> API, choose <strong>Application Permissions</strong>, then select the below six permissions and click <strong>Add permissions</strong>.<br><p>Contacts</p> <ul><li> <strong>Read</strong> (Read contacts in all mailboxes) </li> </ul><p> MailboxSettings</p> <ul><li> <strong>Read</strong> (Read all user mailbox settings) </li> </ul><p> Mail</p> <ul><li> <strong>Read</strong> (Read mail in all mailboxes) </li> <li> <strong>ReadWrite</strong> (Read and write mail in all mailboxes) </li> </ul><p> User</p> <ul><li> <strong>Read.All</strong> (Read all users' full profiles) </li> <li> <strong>ReadBasic.All</strong> (Read all users' basic profiles) </li> </ul><p><em>Note: None of the DELEGATED PERMISSIONS are required.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/QLV1XYY0PEKQ/graphus-app-activ14a-png.png" alt="graphus_app_activ14a.PNG" class="embedImage-img importedEmbed-img"></img><br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/B1IKARI16ULX/graphus-app-activ14b-png.png" alt="graphus_app_activ14b.PNG" class="embedImage-img importedEmbed-img"></img><br></em></p> </li> <li>Click <strong>Add a permission</strong>, select the tab <strong>APIs my organization uses</strong>, search for <em>Windows Azure Active Directory</em><strong>, </strong>and select <strong>Windows Azure Active Directory</strong> API from the results.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/43HW78POKG4K/graphus-app-activ15-png.png" alt="graphus_app_activ15.PNG" class="embedImage-img importedEmbed-img"></img></li> <li> For <strong>Windows Azure Active Directory</strong> API, choose <strong>Application Permissions</strong>, then select the below two permissions and click <strong>Add permissions</strong>. <p>Directory</p> <ul><li> <strong>Read.All</strong> (Read directory data) </li> </ul><p>Member</p> <ul><li> <strong>Read.Hidden</strong> (Read all hidden memberships)<br><em>Note: None of the DELEGATED PERMISSIONS are required.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/C7II0BBWYHE8/graphus-app-activ16-png.png" alt="graphus_app_activ16.PNG" class="embedImage-img importedEmbed-img"></img><br></em> </li> </ul></li> <li>Click <strong>Grant admin consent for <your organization></strong> button in Grant Consent section. Then, click <strong>Yes</strong> button on the confirmation popup.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/HTKV29WJBOR7/graphus-app-activ17-png.png" alt="graphus_app_activ17.PNG" class="embedImage-img importedEmbed-img"></img><br>If the action is successful, the confirmation message will be displayed as below.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/G6R68KA14LQJ/graphus-app-activ17a-png.png" alt="graphus_app_activ17a.PNG" class="embedImage-img importedEmbed-img"></img><br><em>Note: It usually takes 5 -10 minutes for the changes to take effect in Azure AD.</em> </li> </ol><h3 id="h_01F8SDRNHEM4EJVSKK93HXKXZ0" data-id="2-required-permissions">2. Required Permissions</h3> <p>For the seamless integration of Graphus application with your organization and detection and remediation of various kinds of email attacks, a set of permissions is required for following Microsoft APIs.</p> <ul><li>Microsoft Graph</li> <li>Office 365 Exchange Online</li> <li>Windows Azure Active Directory</li> </ul><p>The following table describes why certain permissions are needed by Graphus.</p> <table border="1"><tbody><tr><td colspan="2"><strong>Microsoft Graph</strong></td> </tr><tr><td><strong>Permission</strong></td> <td><strong>Required for</strong></td> </tr><tr><td>User.Export.All</td> <td>Required to fetch the email address, first name and last name of the users in an organization to detect the impersonation.</td> </tr><tr><td>People.Read.All</td> <td>Required to fetch the shared contacts of a user in an organization to build the Trust Graph.</td> </tr><tr><td>MailboxSettings.Read</td> <td>Required to get the current status of a mailbox.</td> </tr><tr><td>Member.Read.Hidden</td> <td>Required to get the information of all the groups (public and private) that a user belongs to. It is used by Graphus to detect mails sent to group email addresses.</td> </tr><tr><td>Mail.Read</td> <td>Required by Graphus for the detection of email attacks.</td> </tr><tr><td>Mail.ReadWrite</td> <td>Required by Graphus for detection of email attacks and insertion of EmployeeShield in an email. This is also required to delete mail from a user's inbox when an email attack needs to be quarantined.</td> </tr><tr><td>Contacts.Read</td> <td>Required to fetch the email addresses, first name and last name of the users in an organization to detect user impersonation.</td> </tr><tr><td>Group.Read.All</td> <td>Required to get the information of all the groups that a user belongs to. It is used by Graphus to detect mails sent to group email addresses. This is also needed when only a subset of users belonging to a group is required to be protected.</td> </tr><tr><td>Directory.Read.All</td> <td>Required to fetch detailed attributes of all the users and groups in an organization for detection of email attacks.</td> </tr><tr><td>User.Read.All</td> <td>Required to make a decision to either process the user's mailbox by Graphus or not. This information is also required in the oAuth flow.</td> </tr></tbody></table><h3 data-id="n-a"> </h3> <table border="1"><tbody><tr><td colspan="2"><strong>Office 365 Exchange Online</strong></td> </tr><tr><td><strong>Permission</strong></td> <td><strong>Required for</strong></td> </tr><tr><td>User.Read.All</td> <td>Required to make a decision to either process the user's mailbox by Graphus or not. This information is also required in the oAuth flow.</td> </tr><tr><td>User.ReadBasic.All</td> <td>Required to make a decision to either process the user's mailbox by Graphus or not. This information is also required to fetch the email address, first name and last name of the users in an organization to detect user impersonation.</td> </tr><tr><td>MailboxSettings.Read</td> <td>Required to get the current status of a mailbox.</td> </tr><tr><td>Contacts.Read</td> <td>Required to fetch the email addresses, first name and last name of users in an organization to detect user impersonation.</td> </tr><tr><td>Mail.Read</td> <td>Required by Graphus for the detection of email attacks.</td> </tr><tr><td>Mail.ReadWrite</td> <td>Required by Graphus for detection of email attacks and insertion of EmployeeShield in a mail. This is also required to delete mail from a user's inbox when an email attack needs to be quarantined.</td> </tr></tbody></table><h3 data-id="n-a-1"> </h3> <table border="1"><tbody><tr><td colspan="2"><strong>Windows Azure Active Directory</strong></td> </tr><tr><td><strong>Permission</strong></td> <td><strong>Required for</strong></td> </tr><tr><td>Member.Read.Hidden</td> <td>Required to get the information of all the groups (public and private) that a user belongs to. It is used by Graphus to detect mails sent to group email addresses</td> </tr><tr><td>Directory.Read.All</td> <td>Required to fetch deep-level information of all users and groups in an organization for detection of email attacks</td> </tr></tbody></table><h3 data-id="3-graphus-application-deactivation">3. Graphus Application Deactivation</h3> <p>If, for any reason, you want to deactivate Graphus application from your environment, then please follow the below steps. </p> <p><strong>Steps</strong></p> <ol><li>Login to Office 365 portal and select <strong>Admin</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/B8IXOXRTOP1C/graphus-app-deactiv1-png.png" alt="graphus_app_deactiv1.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>Expand <strong>Admin centers</strong> and choose <strong>Azure Active Directory</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/ZYWARKXWUYLT/graphus-app-deactiv2-png.png" alt="graphus_app_deactiv2.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>Click <strong>Azure Active Directory</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/PQBK2BFXMWA4/graphus-app-deactiv3-png.png" alt="graphus_app_deactiv3.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>In the Manage section, click <strong>App registrations</strong> and then choose the Graphus application from the application list.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/UVSOM4HV1CU0/graphus-app-deactiv4-png.png" alt="graphus_app_deactiv4.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>Click the <strong>Delete</strong> button for the Graphus application.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/13NALZ5IR2BQ/graphus-app-deactiv5-png.png" alt="graphus_app_deactiv5.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li> Click <strong>Yes</strong> on the confirmation popup.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/J251FWFV8C2I/graphus-app-deactiv6-png.png" alt="graphus_app_deactiv6.PNG" class="embedImage-img importedEmbed-img"></img><br>After deletion is successful, a confirmation message will appear as depicted below.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/D7QDO6GDYUMZ/graphus-app-deactiv7-png.png" alt="graphus_app_deactiv7.PNG" class="embedImage-img importedEmbed-img"></img><br>After this step, the Graphus application and its associated API permissions will be successfully removed. </li> </ol> </article> </main>