Microsoft 365

= Preparing for the Microsoft Entra ID =

To use Microsoft 365, you must first navigate to the Microsoft Entra Admin Centre, register an enterprise application, and grant the necessary permissions within that application. These steps are necessary for ACMP to access and import the required Microsoft 365 data.

6

7

== Register an Enterprise Application ==

8

9

First, log in to your [[Microsoft Entra ID>>url:https://aad.portal.azure.com/]] . Click the //Manage// tab > //Enterprise Applications// and create a new application registration.

10

11

[[Application registrations in Microsoft Entra ID>>image:67_Microsoft 365_App-Registrierung in der Entra_2910.png]]

12

13

Enter all required information: Enter an application name and select the accounts to support. Click //Register// to complete the process.

14

15

[[Registering an application>>image:67_Microsoft 365_Anwendung registrieren_2262.png]]

16

17

When you open the created application, you will see a summary of the information added. You will need the application and directory ID from this for the next step when you create a new portal for Microsoft 365.

18

19

[[Application information summary>>image:67_Microsoft 365_Zusammenfassung der Anwendungsinformationen_3344.png]]

20

21

== Distribute permissions ==

22

23

Next, grant the required permissions to the business application so that the interface can be accessed. To do this, go to the Permissions section within the registered application (//Security// > //Permissions//).

24

25

[[Permissions>>image:67_Microsoft 365_Berechtigungen_2720.png]]

26

27

Click //Add Permission//. This will open a page where you can request API permissions. In this step you need to select Microsoft Graph.

28

29

[[API Permissions: Request Microsoft Graph>>image:67_Microsoft 365_Microsoft Graph_1284.png||data-xwiki-image-style-alignment="center" height="822" width="650"]]

30

31

**Only the application permissions are required to use Microsoft 365. Add the following values one at a time and repeat the process until both list entries are added:**

32

33

* **User.Read.All (Type: Application)**

34

* **Organisation.Read.All (Type: Application)**

35

36

37

You only need to assign the application permissions, not the delegated permissions!

38

39

40

[[Assigning application permissions>>image:67_Microsof 365_Anwendungen verteilen_Umrandung_3822.png||alt="67_Microsof 365_Anwendungen verteilen_3822.png"]]

41

42

Once you have selected both permissions, click //Add Permissions//. You will see the entries in the overview.

43

44

[[Assigned privileges (without consent)>>image:67_Microsoft 365_Verteilte Berechtigungen (ohne Einwilligung)_2818.png]]

45

46

You may need to grant permissions if you have not already done so. To do this, click on the //'Grant administrator consent for %your company%//' field. This will change the status and provide user consent.

47

48

[[Approved permissions>>image:67_Microsoft 365_Verteilte Berechtigungen (ohne Einwilligung)_2818.png]]

49

50

= Upload private client keys or certificates =

51

52

When you first set up Microsoft 365, you need to specify authentication types. You can choose from two methods supported by the Microsoft Client Credentials Provider: //certificates// or //secret client keys//.

53

54

55

The procedure is different depending on the authentication type you choose. Read below to find out what to do for each method.

56

57

58

== Upload a certificate ==

59

60

61

Because of the higher level of security, Microsoft recommends that you use a certificate as your credential.

62

63

64

Certificates can be used as an authentication method to log in to Microsoft Entra ID. A certificate always consists of a public and a private part, where the public key is loaded directly into the Microsoft Entra ID. Both parts will be needed later when you can add the certificate to the connection information to create a new portal. This certificate pair must be created beforehand. Read on to find out how to create a certificate using [[Microsoft>>url:https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal]] or [[Open SSL>>url:https://stackoverflow.com/questions/6307886/how-to-create-pfx-file-from-certificate-and-private-key]].

65

66

67

The PKCS#12 or PFX/P12 format is often used for certificates. This is not supported by ACMP because the certificate and key file are combined in one file. However, you can use the OpenSSL commands openssl pkcs12 -in path.p12 -out newfile.crt -clcerts –nokeys to generate two files from the file for the certificate and openssl pkcs12 -in path.p12 -out newfile.pem -nocerts –nodes for the private key.

68

For more information, see the [[Managing certificates>>doc:ACMP.67.ACMP-Solutions.System.Einstellungen.ACMP Server.WebHome||anchor="HEnde-zu-Ende-VerschlFCsselung"]] section.

69

70

71

Within the previously registered application, navigate to //Certificates & Secrets//. In the details section, click the //Certificates// tab and upload the certificate you created earlier.

72

73

[[Upload certificates>>image:67_Microsoft 365_Zertifikat hochladen_3356.png]]

74

75

A field will open on the right-hand side for you to upload the certificate. Browse to the appropriate directory and upload the file, then enter an optional description for the certificate. Click //Add// and the certificate will be saved for the application.

76

77

78

Please note that only .cer, .pem and .crt file types are supported when uploading a certificate.

[[Uploaded certificate in Microsoft Entra>>image:67_Microsoft 365_Hochgeladenes Zertifikat in Entra_3052.png]]

83

84

== Adding a secret client key ==

85

86

The secret client key is a string of characters used by the enterprise application as an authentication key or proof of identity when requesting the token. To do this, go to the //Certificates & Secrets// section of the registered application. In the details, click on the //Secret Client Keys// tab and create a new key.

87

88

[[Adding a news client key>>image:67_Microsoft 365_Neuen Clientschlüssel hinterlegen_3052.png]]

89

90

When creating a new secret client key, you will be given the option to configure the validity period. Please note that when the validity period expires, a new key must be created and saved.

91

92

[[Adding a secret client key>>image:67_Microsoft 365_Geheimen Clientschlüssel hinzufügen_3052.png]]

93

94

95

You will need the created secret client key when setting up Microsoft 365 to create new portals in the ACMP console. Therefore, save the secret client key so that you can access it later.

96

97

98

= Settings for Microsoft 365 =

99

100

The //Microsoft 365// section provides an overview of the portals you have saved and from which you want to import information.

101

102

== Managing Micrsoft 365 portals ==

103

104

To manage the portals, in the open ACMP console, navigate to //System// > //Settings// > //Licence// //Management// > //Microsoft// //365//. The view is split into two parts. On the left, you will see the action fields where you can add ([[image:1731318667592-246.png]]), edit ([[image:1731318667592-758.png]]) or delete ([[image:1731318667592-156.png]]) the Microsoft 365 portals. At the bottom is a list of all the existing portals that you have previously created. On the right, you can see the details of the portal you selected.

105

106

[[Microsoft 365 portals overview>>image:67_M365_Hinzugefügtes Portal_1361.png]]

107

108

== Add a Microsoft 365 portal ==

109

110

To add a new portal, click the //Add// button ([[image:1731318849239-880.png]]) in the toolbar. A wizard will open to guide you through the next steps. First, under //General//, enter a name for the portal. Note that the portal name is used as a prefix for the imported licences and products and must be unique. Optionally, you can enter a description if you wish to provide additional information. Otherwise, click //Next >// to proceed.

111

112

[[General information when adding a Microsoft 365 portal>>image:67_M365_Wizard Allgemein_965.png]]

113

114

Now enter the Application ID (Client) and Directory ID (Client) in the fields provided. This information refers to the information provided in the Microsoft Entra ID (see Application Properties).

115

116

117

The Application ID (Client) is the ID of the registered application. The Directory ID (Client) indicates which client it is running under.

118

119

120

Then select the type of authentication you want to use for the connection information. You can choose between //Certificate// and //Client Secret Key//.

=== Certificate ===

Select the //Certificate// authentication type and click the //Add// button. A new window will open where you must enter the public and private keys. To do this, click on the button [[image:1731318914156-387.png]] uand insert the appropriate key that you used earlier [[prepare the Microsoft Entra ID>>doc:||anchor="HVorbereitungenfFCrdieMicrosoftEntraID"]] Click //OK// to complete this step.

125

126

[[Adding a client certificate>>image:67_M365_Client Zertifikat hinzufügen_508.png]]

127

128

If you want to delete the certificate, click //Remove//.

129

130

=== Secret client key ===

131

132

To add a secret client key, you have to click on the button of the same name below the selection. A new window will open in which you have to enter the secret ID and the value of the secret client key. You also have to specify a validity period. Exit the step by clicking on //OK //and returning to the wizard.

133

134

[[Adding the secret client key>>image:67_M365_Geheimen Clientschlüssel hinzufügen_508.png]]

135

136

[[Connection information for the Microsoft 365 portal>>image:67_M365_Microsoft 365 Portal hinzufügen Verbindungsinformationen_965.png]]

137

138

Depending on the authentication type you have chosen, the corresponding fields will be filled in. In this explanation, the authentication type //Certificate// was used.

139

140

Check your connection by clicking //Test connection//. This will help you ensure that the information you have entered so far has been correctly inserted. Click //Next >// to continue with the exclusions for the import.

141

142

Here you have the option of excluding irrelevant licences from the import. The wizard page is divided into two: On the left side, you will find a list of all available licences. By enabling the checkbox below, you can display only the licences subscribed to in the portal.

143

144

Now drag all the items you want to exclude for the import to the right side ([[image:1731319034566-617.png]])). The items will be explicitly excluded for the upcoming import. You can remove excluded licences from the list by clicking the button([[image:1731319034566-751.png]]).

145

146

[[Exclusions for the import>>image:67_M365_Ausschlüsse für den Import_965.png]]

147

148

Finish the wizard by clicking //Done//. You will return to the overview page within the ACMP settings, where the new portal has been added to the list.

149

150

[[Added portal in the Microsoft 365 settings>>image:67_M365_Hinzugefügtes Portal_1361.png]]

151

152

== Editing or deleting Microsoft 365 portals ==

153

154

Existing Microsoft 365 portals can be edited or deleted. If you want to edit an existing portal, for example to change the authentication type or the licenses excluded from the import, click the //Edit //button ([[image:1731319340289-250.png]]). A window will open where you can customise the information that is now available. The information is divided into three tabs: //General//, //Connection Information //and //Exclusions for Import//. Change the desired information and then click //Save//.

155

156

157

When making any changes, follow the procedure described in the section [[Adding Microsoft 365 portals>>doc:||anchor="HMicrosoft365PortalhinzufFCgen"]] and note the information provided.

If you subsequently exclude licences from an import, you may have to manually delete licences that have already been imported and the associated product in the licence management.

162

163

164

To delete a portal, simply click the //Delete //button// //([[image:1731319500514-463.png]]) and confirm the action

165

166

167

After deleting the portal, already imported licenses and products remain. These must be deleted manually in License Management.

168

169

170

= Licenses, products and compliance =

171

172

The execution of two [[server tasks>>doc:ACMP.67.ACMP-Solutions.System.Einstellungen.ACMP Server.WebHome||anchor="HGeplanteServeraufgaben"]] is required to import licenses and products and to calculate the status:

173

174

|**Server task**|**Description**

175

|1. Import Microsoft 365 licence data|The server task imports the Microsoft 365 licence and product data for License Management and creates the licences and products.

176

|2. Recalculation of the data for the compliance view|The compliance data is recalculated to determine the consumers and the status of the licence.

177

178

179

The execution interval of the Scheduled Server Tasks depends on the configured start condition. You can view the status of the server jobs using the [[Server Monitor>>doc:ACMP.67.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Monitore.WebHome||anchor="HServermonitor"]].

180

181

182

The licences, products and required contacts are created when the data is imported. The compliance recalculation is used to calculate the status.

183

184

185

The new contacts can be accessed from the [[Master Data>>doc:ACMP.67.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Stammdaten.WebHome]] (//Master Data //> //Contacts//). The contacts are required to complete the compliance calculation at the end and to record them as licence users and link them to the appropriate licences and products.

186

187

188

For more detailed information on products and licences, navigate to Licence Management.

189

190

191

All licence and product data from the portal is read-only and cannot be edited. The Microsoft 365 portal is the leading system and cannot be changed by the administrator.

192

193

194

[[Read linked product from licence>>image:67_M365_Lizenzen Verknüpfte Produkte_1831.png]]

== Products ==

Products are created on initial creation in the following output directory //Microsoft 365// > //Portal name// (here: Microsoft 365 Portal). Products can be dragged and dropped into other directories as required. The product name is made up of the portal name (prefix) and the licence title.

199

200

[[Reading Microsoft 365 portal products>>image:67_M365_Produkte markiert_1280.png]]

201

202

203

There is a new automatic consumer (type: Microsoft 365) to correctly identify consumers. This is only used for Microsoft 365 imports and is not available for selection when manually creating a product

204

205

206

== Manually start recalculating compliance ==

207

208

The compliance recalculation runs as a server task every five hours by default, thus keeping the data comparison up to date. If you want to start a recalculation independently of this and out of sequence, you can do so via //License Management //> //Compliance //> //Recalculate //> //Recalculate Completely//. Click on the button in the ribbon bar and start the recalculation manually. The function first starts a new import of the current Microsoft 365 data. Depending on the data in the licence management, the execution of the recalculation may take some time. If there are already products in compliance, these will be updated and the associated status will be checked and customised if necessary.

209

210

== Status //Producat cannot be synchronised// ==

211

212

When recalculating compliance, the status of the products and licenses is compared. If, during the import of Microsoft 365 data, it is not possible to update data for a product or license that has already been imported, this is indicated by the new status [[image:1731319766843-853.png]]// Product cannot be synchronised//.

213

214

[[Licence status 'Product cannot be synchronised'>>image:67_M365_Lizenzstatus.png]]

215

216

There can be three reasons for this status:

217

218

|**Reason**|**Description**|**Solution**

219

|The product and/or license no longer exists in the Microsoft 365 portal. |The product and/or license has been deleted from the Microsoft 365 portal, which is why there is no connection between the ACMP Server and the product/license.|The products and/or licenses can be deleted from ACMP. Select the corresponding items and remove them by clicking on //Delete //in the ribbon bar.

220

|The license was defined retrospectively for the exclusion.|A license was subsequently excluded from import because changes were made to an existing portal.|(((

221

If you no longer require the newly added licence exclusion on the portal, you must delete the imported license and the products.

222

223

If the newly added exclusion was the result of a misconfiguration when editing the portal, you can edit the portal again and remove the exclusion. The next time the Microsoft 365 import is executed, the data will be updated again automatically. After recalculating compliance, the status will now be displayed correctly.

224

)))

225

|The portal has been deleted.|The complete portal has been deleted from the settings and no longer exists.|If you have deleted the portal in the ACMP settings, you must manually delete the already imported products and licenses from the License Management.

226

227

228

You can find out more about the different statuses of the licenses [[here>>doc:ACMP.67.ACMP-Solutions.Lizenzmanagement.Compliance.WebHome||anchor="HStatusderLizenzen"]].

229

230

231

= Error messages when accessing the Microsoft 365 GraphAPI =

232

233

An access token is required to access the Microsoft 365 GraphAPI. This token is generated by the scheduled server task when importing Microsoft 365 data for each configured portal. If there are problems generating the token, this will be displayed as an error message in the log. You can find the corresponding entry in the [[Server Monitor>>doc:ACMP.67.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Monitore.WebHome||anchor="HServermonitor"]].

234

235

Generally, there are two basic errors that can occur:

236

237

1. An error reported by the GraphAPI was generated by the corresponding web server.

238

1. An error occurred during the connection from the ACMP Server to the GraphAPI or during the evaluation of the GraphAPI response.

239

240

The following are some detailed error messages that may appear on your system:

|(((

**Error message**

)))|(((

**Error log**

)))

|(((

Die GraphAPI meldet einen Fehler und eine Fehlerbeschreibung.

250

)))|(((

251

The ACMP Server could reach the Microsoft GraphAPI and received an error.

252

253

The error descriptions come from Microsoft and indicate the type of error reported by the Microsoft GraphAPI.

254

)))

255

|(((

256

„Could not connect to GraphAPI server.“

257

)))|(((

258

The ACMP Server could not establish a connection to the Microsoft GraphAPI.

259

260

**Solution**: Check if you have released the [[necessary URLs>>doc:ACMP.67.ACMP installieren.Checkliste zur Installation.WebHome||anchor="HErforderlicheURLs"]] for your environment.

261

)))

262

|(((

263

„GraphAPI webcall returned success but information could not be deserialized.“

264

)))|(((

265

The ACMP Server was able to establish a connection and the remote station reported a success (HTTP status 200), but the delivered response could not be successfully evaluated. It is possible that the format is different than expected.

266

267

A possible source of error is when a system retains information in the cache and returns it as a response. For example, check your proxy settings to see if the ACMP Server has stored the correct configurations to resolve the URL. If you have excluded this, please contact our Support.

268

)))

269

|(((

270

„GraphAPI webcall returned failure but error information could not be deserialized.“

271

)))|(((

272

The ACMP Server was able to establish a connection successfully, but the remote station reports an error. The response could not be evaluated

273

274

**Solution**: Check if the [[firewall/proxy settings>>doc:ACMP.67.ACMP installieren.Checkliste zur Installation.WebHome||anchor="HErforderlicheURLs"]] are configured correctly or whether you have something else in the network that is intercepting or blocking the communication.. If this has been excluded by you, please contact our Support.

275

)))

276

|(((

277

„Thumbprint from public key could not be read.“

278

)))|(((

279

This error only occurs if you have used the certificate as the authentication method.

280

281

In this case, the ACMP Server tries to generate a JSON Web Token for the GraphAPI. The fingerprint of the certificate's public key must be noted. An error occurred when reading this value.

282

283

**Solution**: When the error occurs, reinstall the certificate.

284

)))

285

|(((

286

„JSON Web Token generation for authentication with GraphAPI failed.“

287

)))|(((

288