Microsoft 365

introduction this guide explains how to authenticate the microsoft graph api connector in swimlane using one of the following authentication methods oauth 2 0 client credentials (application permissions) oauth 2 0 refresh token grant (delegated permissions with mfa) you will create an azure app, assign permissions, collect the required identifiers, and configure the connector inside swimlane prerequisites azure access requirements you must have azure permissions to register applications in azure active directory assign api permissions grant admin consent create and manage client secrets assign directory roles (global reader, security reader) view tenant, subscription, and organizational properties required credentials during setup, you will collect client id client secret tenant id token url (for client credentials flow) refresh token (for refresh token flow) scopes (api permissions required for office 365) host url (office 365 service endpoint) authentication methods overview oauth 2 0 client credentials used for non mfa accounts and for most server to server automations you will need client id client secret tenant id token url (must include tenant id) scope(s) oauth 2 0 refresh token grant use this when the office 365 account has mfa enabled you need a long lived token flow based on user authentication you will need client id client secret refresh token redirect uri (added during azure app registration) azure setup take the following steps to register the application go to azure portal > azure active directory > app registrations click new registration enter an application name select accounts in this organizational directory only (refresh token method only) add a redirect uri (platform web) click register take the following steps to assign the api permissions open the api permissions tab click add a permission select apis my organization uses search and select office 365 exchange online add the required permissions (recommended) reportingwebservice read (any additional permissions needed for your actions) click add permissions click grant admin consent for your organization take the following steps to generate a client secret go to certificates & secrets click new client secret add description and expiration click add copy and save the value this saved value is client secret take the following steps to collect required identifiers from app registration > overview , copy client id tenant id from the office azure tenant workspace, copy organization/tenant id subscription id (if applicable to your environment) any required office 365 identifiers used in your actions additional step (required for trace reports) assign required directory roles office 365 message trace apis require global reader security reader steps go to azure active directory open roles and administrators search global reader click the role name (not the checkbox) click add assignments search for your app > select > add set assignment type = active repeat for security reader method 1 authenticate using oauth 2 0 client credentials token url format https //login microsoftonline com/{tenant id}/oauth2/v2 0/token host url (your office 365 endpoint usually service specific) method 2 authenticate using oauth 2 0 refresh token grant use this for mfa enabled accounts additional requirements redirect uri must be provided during registration a refresh token must be generated using the swimlane provided script how the refresh token is generated? swimlane will provide a python script instructions to log in using your azure user the script returns refresh token access token (not used in turbine) refresh tokens expire every 90 days (or sooner if your organization enforces a shorter policy) you must update the asset before expiry connector configuration in swimlane log into turbine from the left hand navigation pane, click orchestration and click assets asset homepage opens click the + icon to create a new asset select microsoft office 365 from the asset type list fill in the asset settings and asset input as shown a) configuration oauth 2 0 client credentials field description required/optional url office 365 host url required token url token url including tenant id required client id client id from azure required client secret client secret from azure required scope api scope added in the permission step required verify ssl ssl verification optional http proxy proxy to route requests optional fields with marks are required b) configuration oauth 2 0 refresh token grant field description required/optional url office 365 host url required cl id client id required cl secret client secret required refresh token refresh token generated via script required verify ssl ssl verification optional http proxy proxy to route requests optional fields with marks are required 6\ click create troubleshooting if you encounter a 403 forbidden error ensure global reader and security reader roles are correctly assigned confirm admin consent is granted verify api permissions match connector actions if you encounter 401 unauthorized error incorrect client secret, create a new one missing scopes, re add required permissions token expired, regenerate refresh token you have successfully authenticated the microsoft office 365 connector in swimlane using either client credentials or refresh token authentication