1. Graphus Application Activation
Note: The activation process has to be carried out by the global administrator of Azure AD for your organization.
Steps
- Login to Office 365 portal and select Admin.
- Under Admin centers, click Azure Active Directory.
- In the Azure Active Directory admin center, click Azure Active Directory.
- Under the Manage section, click App registrations and then choose New registration.
- In the Register an application page, enter the name as Graphus and select Supported account types as Accounts in this organizational directory only. In the Redirect URI section, select Web and enter https://eucloud.graph.us/login as the URL. Then, click Register.
- Copy and save the Application (client) ID. It will be used in a step later.
- In the Manage section, select Certificates & secrets. Upload the certificate file generated from Graphus MSP portal.
- The uploaded certificate file should look like the one depicted below in the Certificates section.
- In the Graphus – Certificates & secrets page, click New client secret, enter Graphus in the Description field, select 24 months from the Expires dropdown menu, and click Add.
- This will automatically generate a value which will be displayed under the Value field corresponding to the client secret created in the above step.
Copy the value immediately after the creation. Update Application (client) ID (refer step 6) and this client secret value in Graphus MSP portal activation page. Click Activate organization on Graphus MSP portal.
Note: This value will no longer be accessible after you leave this blade.
Graphus requires permissions from the APIs provided by Microsoft. To learn more about these permissions, refer to Required Permissions of this guide. - In the Manage section, select API permissions, click Add a permission, then select Microsoft Graph from the APIs.
- For Microsoft Graph API, choose Application Permissions, then select the below 10 permissions and click Add permissions.
Contacts
- Read (Read contacts in all mailboxes)
Directory
- Read.All (Read directory data)
Group
- Read.All (Read all groups)
MailboxSettings
- Read (Read all user mailbox settings)
Mail
- Read (Read mail in all mailboxes)
- ReadWrite (Read and write mail in all mailboxes)
Member
- Read.Hidden (Read all hidden memberships)
People
- Read.All (Read all users' relevant people lists)
User
- Export.All (Export user's data)
- Read.All (Read all users' full profiles)
Note: None of the DELEGATED PERMISSIONS are required.
- Click Add a permission, select tab APIs my organization uses, search for Office 365 Exchange Online, and select Office 365 Exchange Online API from the results.
- For Office 365 Exchange Online API, choose Application Permissions, then select the below six permissions and click Add permissions.
Contacts
- Read (Read contacts in all mailboxes)
MailboxSettings
- Read (Read all user mailbox settings)
Mail
- Read (Read mail in all mailboxes)
- ReadWrite (Read and write mail in all mailboxes)
User
- Read.All (Read all users' full profiles)
- ReadBasic.All (Read all users' basic profiles)
Note: None of the DELEGATED PERMISSIONS are required.
- Click Add a permission, select the tab APIs my organization uses, search for Windows Azure Active Directory, and select Windows Azure Active Directory API from the results.
- For Windows Azure Active Directory API, choose Application Permissions, then select the below two permissions and click Add permissions.
Directory
- Read.All (Read directory data)
Member
- Read.Hidden (Read all hidden memberships)
Note: None of the DELEGATED PERMISSIONS are required.
- Click Grant admin consent for <your organization> button in Grant Consent section. Then, click Yes button on the confirmation popup.
If the action is successful, the confirmation message will be displayed as below.
Note: It usually takes 5 -10 minutes for the changes to take effect in Azure AD.
2. Required Permissions
For the seamless integration of Graphus application with your organization and detection and remediation of various kinds of email attacks, a set of permissions is required for following Microsoft APIs.
- Microsoft Graph
- Office 365 Exchange Online
- Windows Azure Active Directory
The following table describes why certain permissions are needed by Graphus.
Microsoft Graph | |
Permission | Required for |
User.Export.All | Required to fetch the email address, first name and last name of the users in an organization to detect the impersonation. |
People.Read.All | Required to fetch the shared contacts of a user in an organization to build the Trust Graph. |
MailboxSettings.Read | Required to get the current status of a mailbox. |
Member.Read.Hidden | Required to get the information of all the groups (public and private) that a user belongs to. It is used by Graphus to detect mails sent to group email addresses. |
Mail.Read | Required by Graphus for the detection of email attacks. |
Mail.ReadWrite | Required by Graphus for detection of email attacks and insertion of EmployeeShield in an email. This is also required to delete mail from a user's inbox when an email attack needs to be quarantined. |
Contacts.Read | Required to fetch the email addresses, first name and last name of the users in an organization to detect user impersonation. |
Group.Read.All | Required to get the information of all the groups that a user belongs to. It is used by Graphus to detect mails sent to group email addresses. This is also needed when only a subset of users belonging to a group is required to be protected. |
Directory.Read.All | Required to fetch detailed attributes of all the users and groups in an organization for detection of email attacks. |
User.Read.All | Required to make a decision to either process the user's mailbox by Graphus or not. This information is also required in the oAuth flow. |
Office 365 Exchange Online | |
Permission | Required for |
User.Read.All | Required to make a decision to either process the user's mailbox by Graphus or not. This information is also required in the oAuth flow. |
User.ReadBasic.All | Required to make a decision to either process the user's mailbox by Graphus or not. This information is also required to fetch the email address, first name and last name of the users in an organization to detect user impersonation. |
MailboxSettings.Read | Required to get the current status of a mailbox. |
Contacts.Read | Required to fetch the email addresses, first name and last name of users in an organization to detect user impersonation. |
Mail.Read | Required by Graphus for the detection of email attacks. |
Mail.ReadWrite | Required by Graphus for detection of email attacks and insertion of EmployeeShield in a mail. This is also required to delete mail from a user's inbox when an email attack needs to be quarantined. |
Windows Azure Active Directory | |
Permission | Required for |
Member.Read.Hidden | Required to get the information of all the groups (public and private) that a user belongs to. It is used by Graphus to detect mails sent to group email addresses |
Directory.Read.All | Required to fetch deep-level information of all users and groups in an organization for detection of email attacks |
3. Graphus Application Deactivation
If, for any reason, you want to deactivate Graphus application from your environment, then please follow the below steps.
Steps
- Login to Office 365 portal and select Admin.
- Expand Admin centers and choose Azure Active Directory.
- Click Azure Active Directory.
- In the Manage section, click App registrations and then choose the Graphus application from the application list.
- Click the Delete button for the Graphus application.
- Click Yes on the confirmation popup.
After deletion is successful, a confirmation message will appear as depicted below.
After this step, the Graphus application and its associated API permissions will be successfully removed.