Graphus for Office 365 Activation Guide

1. Graphus Application Activation

Note: The activation process has to be carried out by the global administrator of Azure AD for your organization.

Steps

  1. Login to Office 365 portal and select Admin.
    graphus_app_activ1.PNG
  2. Under Admin centers, click Azure Active Directory.
    graphus_app_activ2.PNG
  3. In the Azure Active Directory admin center, click Azure Active Directory.
    graphus_app_activ3.PNG
  4. Under the Manage section, click App registrations and then choose New registration.
    graphus_app_activ4.PNG
  5. In the Register an application page, enter the name as Graphus and select Supported account types as Accounts in this organizational directory only. In the Redirect URI section, select Web and enter https://eucloud.graph.us/login as the URL. Then, click Register.
    graphus_app_activ5.PNG
  6. Copy and save the Application (client) ID. It will be used in a step later.
    graphus_app_activ6.PNG
  7. In the Manage section, select Certificates & secrets. Upload the certificate file generated from Graphus MSP portal.
    graphus_app_activ7.PNG
  8. The uploaded certificate file should look like the one depicted below in the Certificates section.
    graphus_app_activ8.PNG
  9. In the Graphus – Certificates & secrets page, click New client secret, enter Graphus in the Description field, select 24 months from the Expires dropdown menu, and click Add.
    graphus_app_activ9.PNG
  10. This will automatically generate a value which will be displayed under the Value field corresponding to the client secret created in the above step.
    graphus_app_activ10.PNG
    Copy the value immediately after the creation. Update Application (client) ID (refer step 6) and this client secret value in Graphus MSP portal activation page. Click Activate organization on Graphus MSP portal.

    Note: This value will no longer be accessible after you leave this blade.

    Graphus requires permissions from the APIs provided by Microsoft. To learn more about these permissions, refer to Required Permissions of this guide.
  11. In the Manage section, select API permissions, click Add a permission, then select Microsoft Graph from the APIs.
    graphus_app_activ11.PNG
  12. For Microsoft Graph API, choose Application Permissions, then select the below 10 permissions and click Add permissions.

    Contacts

    • Read (Read contacts in all mailboxes)

     Directory

    • Read.All (Read directory data)

     Group

    • Read.All (Read all groups)

     MailboxSettings

    • Read (Read all user mailbox settings)

     Mail

    • Read (Read mail in all mailboxes)
    • ReadWrite (Read and write mail in all mailboxes)

     Member

    • Read.Hidden (Read all hidden memberships)

     People

    • Read.All (Read all users' relevant people lists)

     User

    • Export.All (Export user's data)
    • Read.All (Read all users' full profiles)
      Note: None of the DELEGATED PERMISSIONS are required.
      graphus_app_activ12.PNG

      graphus_app_activ12a.PNG

      graphus_app_activ12b.PNG
  13. Click Add a permission, select tab APIs my organization uses, search for Office 365 Exchange Online, and select Office 365 Exchange Online API from the results.
    graphus_app_activ13.PNG
  14. For Office 365 Exchange Online API, choose Application Permissions, then select the below six permissions and click Add permissions.

    Contacts

    • Read (Read contacts in all mailboxes)

     MailboxSettings

    • Read (Read all user mailbox settings)

     Mail

    • Read (Read mail in all mailboxes)
    • ReadWrite (Read and write mail in all mailboxes)

     User

    • Read.All (Read all users' full profiles)
    • ReadBasic.All (Read all users' basic profiles)

    Note: None of the DELEGATED PERMISSIONS are required.
    graphus_app_activ14a.PNG

    graphus_app_activ14b.PNG

  15. Click Add a permission, select the tab APIs my organization uses, search for Windows Azure Active Directory, and select Windows Azure Active Directory API from the results.
    graphus_app_activ15.PNG
  16. For Windows Azure Active Directory API, choose Application Permissions, then select the below two permissions and click Add permissions.

    Directory

    • Read.All (Read directory data)

    Member

    • Read.Hidden (Read all hidden memberships)
      Note: None of the DELEGATED PERMISSIONS are required.
      graphus_app_activ16.PNG
  17. Click Grant admin consent for <your organization> button in Grant Consent section. Then, click Yes button on the confirmation popup.
    graphus_app_activ17.PNG
    If the action is successful, the confirmation message will be displayed as below.
    graphus_app_activ17a.PNG
    Note: It usually takes 5 -10 minutes for the changes to take effect in Azure AD.

2. Required Permissions

For the seamless integration of Graphus application with your organization and detection and remediation of various kinds of email attacks, a set of permissions is required for following Microsoft APIs.

  • Microsoft Graph
  • Office 365 Exchange Online
  • Windows Azure Active Directory

The following table describes why certain permissions are needed by Graphus.

Microsoft Graph
Permission Required for
User.Export.All Required to fetch the email address, first name and last name of the users in an organization to detect the impersonation.
People.Read.All Required to fetch the shared contacts of a user in an organization to build the Trust Graph.
MailboxSettings.Read Required to get the current status of a mailbox.
Member.Read.Hidden Required to get the information of all the groups (public and private) that a user belongs to. It is used by Graphus to detect mails sent to group email addresses.
Mail.Read Required by Graphus for the detection of email attacks.
Mail.ReadWrite Required by Graphus for detection of email attacks and insertion of EmployeeShield in an email. This is also required to delete mail from a user's inbox when an email attack needs to be quarantined.
Contacts.Read Required to fetch the email addresses, first name and last name of the users in an organization to detect user impersonation.
Group.Read.All Required to get the information of all the groups that a user belongs to. It is used by Graphus to detect mails sent to group email addresses. This is also needed when only a subset of users belonging to a group is required to be protected.
Directory.Read.All Required to fetch detailed attributes of all the users and groups in an organization for detection of email attacks.
User.Read.All Required to make a decision to either process the user's mailbox by Graphus or not. This information is also required in the oAuth flow.

 

Office 365 Exchange Online
Permission Required for
User.Read.All Required to make a decision to either process the user's mailbox by Graphus or not. This information is also required in the oAuth flow.
User.ReadBasic.All Required to make a decision to either process the user's mailbox by Graphus or not. This information is also required to fetch the email address, first name and last name of the users in an organization to detect user impersonation.
MailboxSettings.Read Required to get the current status of a mailbox.
Contacts.Read Required to fetch the email addresses, first name and last name of users in an organization to detect user impersonation.
Mail.Read Required by Graphus for the detection of email attacks.
Mail.ReadWrite Required by Graphus for detection of email attacks and insertion of EmployeeShield in a mail. This is also required to delete mail from a user's inbox when an email attack needs to be quarantined.

 

Windows Azure Active Directory
Permission Required for
Member.Read.Hidden Required to get the information of all the groups (public and private) that a user belongs to. It is used by Graphus to detect mails sent to group email addresses
Directory.Read.All Required to fetch deep-level information of all users and groups in an organization for detection of email attacks

3. Graphus Application Deactivation

If, for any reason, you want to deactivate Graphus application from your environment, then please follow the below steps.

Steps

  1. Login to Office 365 portal and select Admin.
    graphus_app_deactiv1.PNG
  2. Expand Admin centers and choose Azure Active Directory.
    graphus_app_deactiv2.PNG
  3. Click Azure Active Directory.
    graphus_app_deactiv3.PNG
  4. In the Manage section, click App registrations and then choose the Graphus application from the application list.
    graphus_app_deactiv4.PNG
  5. Click the Delete button for the Graphus application.
    graphus_app_deactiv5.PNG
  6. Click Yes on the confirmation popup.
    graphus_app_deactiv6.PNG
    After deletion is successful, a confirmation message will appear as depicted below.
    graphus_app_deactiv7.PNG
    After this step, the Graphus application and its associated API permissions will be successfully removed.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us