These instructions are for admins utilizing the SafeSend Web Add-in with Microsoft 365. These steps do not apply if you are using Microsoft Exchange Server.
- Sign in to Microsoft Azure Active Directory Admin Center with your administrator credentials
- Select New Registration
- On the Register an Application page, set the following values:
- Name: VIPRE SafeSend Graph API Resource
- Supported account types: Accounts in any organizational directory (any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox, etc)
- In the Redirect URI section, select Web from the drop-down menu, then set URI to your SafeSend site URL using the following format: 'https://<yoursafesendsiteurl>/login'
- Choose Register
- On the SafeSend page, copy and save the Application (client) ID; you'll need this later
- Under the Manage section, select Authentication
- Under Implicit Grant and Hybrid Flows, check the box next to Access Tokens (used for implicit flows) and ID Tokens, and click Save
- Still, under the Manage section, select Certificates & Secrets, then Certificate
- Under Certificates, select Upload Certificate
- Select a certificate file (.cer extension) and enter a value for Description
- This is a file you can create yourself or obtain through a third-party certificate authority; it is not provided to you by VIPRE
- Click Add, then copy and save the Thumbprint value; you'll need this later for a setting called AppCertificateThumbprint
- Select a certificate file (.cer extension) and enter a value for Description
- Enter a value for Description, select an appropriate option for Expires, then click Add
- Still, under Manage, select Expose an API
- Choose the Set link that appears after Application ID URI
- In the Set App URI panel, change the default value by adding your host before the GUID listed
- Example: If the default value is api://05adb30e-50fa-4ae2-9cec-eab2cd6095b0, and your app is running on <yoursafesendhost>, the value should be api://<yoursafesendhost>/05adb30e-50fa-4ae2-9cec-eab2cd6095b0
- Click Save
- Select Add a Scope
- A panel will open; enter access_as_user as the Scope name
- Who can consent? should be set to Admins only
- Fill in the fields for configuring the admin consent prompt with values that are appropriate for the `access_as_user` scope
- This enables the Office client application to use your SafeSend add-in's web APIs with the same rights as the current user
- Examples:
- Admin consent display name**: Office can act as the user
- Admin consent description**: Enable Office to call the add-in's web APIs with the same rights as the current user
- Set State to Enabled
- Select Add Scope
- In the Authorized client applications section, identify the applications that you want to authorize to your SafeSend add-in's web application
- Each of the following IDs needs to be pre-authorized:
- d3590ed6-52b3-4102-aeff-aad2292ab01c (Microsoft Office)
- ea5a67f6-b6f3-4338-b240-c655ddc3cc8e (Microsoft Office)
- 57fb890c-0dab-4253-a5e0-7188c88b2bb4 (Office on the web)
- 08e18876-6177-487e-b8b5-cf950c1e598c (Office on the web)
- bc59ab01-8403-45c6-8796-ac3ef710b3e3 (Outlook on the web)
- Each of the following IDs needs to be pre-authorized:
- For each of the IDs above, take the following steps:
- Select Add a client application button
- In the panel that opens, set the Client ID to the respective GUID
- Check the box for api://<yoursafesendhost>/$App ID GUID$/access_as_user
- Select Add application
- Under Manage, select API Permissions, then Add a Permission
- On the panel that opens, choose Microsoft Graph then Delegated Permissions
- Using the Select Permissions search box, search for the following permissions
- Calendars.ReadWrite.Shared
- Files.ReadWrite
- Mail.ReadWrite.Shared
- offline_access
- openid
- profile
- User.Read
- Select the checkbox for each permission as it appears; after selecting the permissions, click Add Permissions at the bottom of the panel
- On the same page, choose Grant Admin Consent for [tenant name] button
- Select Yes to confirm
Important
After choosing Grant Admin Consent for [tenant name], you may see a banner message asking you to try again in a few minutes so that the consent prompt can be constructed. If you see that message, you can continue to the next step, however, it is important that you do not forget to come back to this step.
- Update the following settings via Azure portal configuration:
- Update AppID using the AppID from Step 5 above
- Update AppCertificateThumbprint using the certificate thumbprint from Step 9 above
- Ensure EmailProviderUrl is set to https://graph.microsoft.com
- Navigate to https://<yoursafesendhost>/manifest to download the manifest file
Using SafeSend Web Add-in with a Different Tenant than the one you Registered the Application with
In order to use the SafeSend Web Add-in with a different tenant than the one you registered with, you will need access to a tenant administrator account to perform consent for all of your Microsoft 365 users
- Browse to `https://login.microsoftonline.com/common/adminconsent?client_id={AppId}&state=12345`, where `{AppId}` is the application ID shown in your app registration
- Sign in with your administrator account then review the permissions and click Accept
- The browser will attempt to redirect back to your app, which may not be running
- You might see a This Site cannot be Reached error after clicking Accept; this is okay as the consent was still recorded