These instructions are for admins utilizing the SafeSend Web Add-in with Microsoft 365. These steps do not apply if you are using Microsoft Exchange Server. 

1. Sign in to Microsoft Azure Active Directory Admin Center with your administrator credentials
2. Select New Registration
3. On the Register an Application page, set the following values:
   • Name: VIPRE SafeSend Graph API Resource
   • Supported account types: Accounts in any organizational directory (any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox, etc)
   • In the Redirect URI section, select Web from the drop-down menu, then set URI to your SafeSend site URL using the following format: 'https://<yoursafesendsiteurl>/login'
4. Choose Register
5. On the SafeSend page, copy and save the Application (client) ID; you'll need this later
6. Under the Manage section, select Authentication
7. Under Implicit Grant and Hybrid Flows, check the box next to Access Tokens (used for implicit flows) and ID Tokens, and click Save
8. Still, under the Manage section, select Certificates & Secrets, then Certificate
9. Under Certificates, select Upload Certificate
   • Select a certificate file (.cer extension) and enter a value for Description 
     • This is a file you can create yourself or obtain through a third-party certificate authority; it is not provided to you by VIPRE
   • Click Add, then copy and save the Thumbprint value; you'll need this later for a setting called AppCertificateThumbprint
10. Enter a value for Description, select an appropriate option for Expires, then click Add
11. Still, under Manage, select Expose an API
12. Choose the Set link that appears after Application ID URI
13. In the Set App URI panel, change the default value by adding your host before the GUID listed
    • Example: If the default value is api://05adb30e-50fa-4ae2-9cec-eab2cd6095b0, and your app is running on <yoursafesendhost>, the value should be api://<yoursafesendhost>/05adb30e-50fa-4ae2-9cec-eab2cd6095b0
14. Click Save
15. Select Add a Scope 
16. A panel will open; enter access_as_user as the Scope name
17. Who can consent? should be set to Admins only
18. Fill in the fields for configuring the admin consent prompt with values that are appropriate for the `access_as_user` scope
    • This enables the Office client application to use your SafeSend add-in's web APIs with the same rights as the current user
    • Examples: 
      • Admin consent display name**: Office can act as the user
      • Admin consent description**: Enable Office to call the add-in's web APIs with the same rights as the current user
19. Set State to Enabled
20. Select Add Scope
21. In the Authorized client applications section, identify the applications that you want to authorize to your SafeSend add-in's web application
    • Each of the following IDs needs to be pre-authorized:
      • d3590ed6-52b3-4102-aeff-aad2292ab01c (Microsoft Office)
      • ea5a67f6-b6f3-4338-b240-c655ddc3cc8e (Microsoft Office)
      • 57fb890c-0dab-4253-a5e0-7188c88b2bb4 (Office on the web)
      • 08e18876-6177-487e-b8b5-cf950c1e598c (Office on the web)
      • bc59ab01-8403-45c6-8796-ac3ef710b3e3 (Outlook on the web)
22. For each of the IDs above, take the following steps:
    1. Select Add a client application button
    2. In the panel that opens, set the Client ID to the respective GUID 
    3. Check the box for api://<yoursafesendhost>/$App ID GUID$/access_as_user
    4. Select Add application
23. Under Manage, select API Permissions, then Add a Permission
24. On the panel that opens, choose Microsoft Graph then Delegated Permissions
25. Using the Select Permissions search box, search for the following permissions
    • Calendars.ReadWrite.Shared
    • Files.ReadWrite
    • Mail.ReadWrite.Shared
    • offline_access
    • openid
    • profile
    • User.Read
26. Select the checkbox for each permission as it appears; after selecting the permissions, click Add Permissions at the bottom of the panel
27. On the same page, choose Grant Admin Consent for [tenant name] button
28. Select Yes to confirm

29. Update the following settings via Azure portal configuration:
    1. Update AppID using the AppID from Step 5 above
    2. Update AppCertificateThumbprint using the certificate thumbprint from Step 9 above
    3. Ensure EmailProviderUrl is set to https://graph.microsoft.com
30. Navigate to https://<yoursafesendhost>/manifest to download the manifest file

Using SafeSend Web Add-in with a Different Tenant than the one you Registered the Application with

In order to use the SafeSend Web Add-in with a different tenant than the one you registered with, you will need access to a tenant administrator account to perform consent for all of your Microsoft 365 users

1. Browse to `https://login.microsoftonline.com/common/adminconsent?client_id={AppId}&state=12345`, where `{AppId}` is the application ID shown in your app registration
2. Sign in with your administrator account then review the permissions and click Accept
3. The browser will attempt to redirect back to your app, which may not be running
   • You might see a This Site cannot be Reached error after clicking Accept; this is okay as the consent was still recorded