Wiki source code of Microsoft 365

Last modified by Sabrina V. on 2025/03/06 08:40

version	line-number	content
4.1	1	{{aagon.floatingbox/}}
1.2	2
16.1	3	= Preparing for the Microsoft Entra ID =
2.2	4
16.1	5	To use Microsoft 365, you must first navigate to the Microsoft Entra Admin Centre, register an enterprise application, and grant the necessary permissions within that application. These steps are necessary for ACMP to access and import the required Microsoft 365 data.
2.2	6
16.1	7	== Register an Enterprise Application ==
2.2	8
16.1	9	First, log in to your [[Microsoft Entra ID>>url:https://aad.portal.azure.com/]] . Click the //Manage// tab > //Enterprise Applications// and create a new application registration.
2.2	10
16.1	11	[[Application registrations in Microsoft Entra ID>>image:67_Microsoft 365_App-Registrierung in der Entra_2910.png]]
2.2	12
16.1	13	Enter all required information: Enter an application name and select the accounts to support. Click //Register// to complete the process.
2.2	14
16.1	15	[[Registering an application>>image:67_Microsoft 365_Anwendung registrieren_2262.png]]
2.2	16
16.1	17	When you open the created application, you will see a summary of the information added. You will need the application and directory ID from this for the next step when you create a new portal for Microsoft 365.
2.2	18
16.1	19	[[Application information summary>>image:67_Microsoft 365_Zusammenfassung der Anwendungsinformationen_3344.png]]
2.2	20
16.1	21	== Distribute permissions ==
2.2	22
16.1	23	Next, grant the required permissions to the business application so that the interface can be accessed. To do this, go to the Permissions section within the registered application (//Security// > //Permissions//).
2.2	24
16.1	25	[[Permissions>>image:67_Microsoft 365_Berechtigungen_2720.png]]
2.2	26
16.1	27	Click //Add Permission//. This will open a page where you can request API permissions. In this step you need to select Microsoft Graph.
2.2	28
16.1	29	[[API Permissions: Request Microsoft Graph>>image:67_Microsoft 365_Microsoft Graph_1284.png\|\|data-xwiki-image-style-alignment="center" height="822" width="650"]]
2.2	30
16.1	31	Only the application permissions are required to use Microsoft 365. Add the following values one at a time and repeat the process until both list entries are added:
2.2	32
16.1	33	* User.Read.All (Type: Application)
	34	* Organisation.Read.All (Type: Application)
2.2	35
11.1	36	{{aagon.warnungsbox}}
16.1	37	You only need to assign the application permissions, not the delegated permissions!
11.1	38	{{/aagon.warnungsbox}}
	39
16.1	40	[[Assigning application permissions>>image:67_Microsof 365_Anwendungen verteilen_Umrandung_3822.png\|\|alt="67_Microsof 365_Anwendungen verteilen_3822.png"]]
2.2	41
16.1	42	Once you have selected both permissions, click //Add Permissions//. You will see the entries in the overview.
2.2	43
16.1	44	[[Assigned privileges (without consent)>>image:67_Microsoft 365_Verteilte Berechtigungen (ohne Einwilligung)_2818.png]]
2.2	45
16.1	46	You may need to grant permissions if you have not already done so. To do this, click on the //'Grant administrator consent for %your company%//' field. This will change the status and provide user consent.
2.2	47
16.1	48	[[Approved permissions>>image:67_Microsoft 365_Verteilte Berechtigungen (ohne Einwilligung)_2818.png]]
2.2	49
16.1	50	= Upload private client keys or certificates =
2.2	51
16.1	52	When you first set up Microsoft 365, you need to specify authentication types. You can choose from two methods supported by the Microsoft Client Credentials Provider: //certificates// or //secret client keys//.
2.2	53
	54	{{aagon.infobox}}
16.1	55	The procedure is different depending on the authentication type you choose. Read below to find out what to do for each method.
2.2	56	{{/aagon.infobox}}
	57
16.1	58	== Upload a certificate ==
2.2	59
	60	{{aagon.infobox}}
16.1	61	Because of the higher level of security, Microsoft recommends that you use a certificate as your credential.
2.2	62	{{/aagon.infobox}}
	63
16.1	64	Certificates can be used as an authentication method to log in to Microsoft Entra ID. A certificate always consists of a public and a private part, where the public key is loaded directly into the Microsoft Entra ID. Both parts will be needed later when you can add the certificate to the connection information to create a new portal. This certificate pair must be created beforehand. Read on to find out how to create a certificate using [[Microsoft>>url:https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal]] or [[Open SSL>>url:https://stackoverflow.com/questions/6307886/how-to-create-pfx-file-from-certificate-and-private-key]].
2.2	65
	66	{{aagon.infobox}}
16.1	67	The PKCS#12 or PFX/P12 format is often used for certificates. This is not supported by ACMP because the certificate and key file are combined in one file. However, you can use the OpenSSL commands openssl pkcs12 -in path.p12 -out newfile.crt -clcerts –nokeys to generate two files from the file for the certificate and openssl pkcs12 -in path.p12 -out newfile.pem -nocerts –nodes for the private key.
	68	For more information, see the [[Managing certificates>>doc:ACMP.67.ACMP-Solutions.System.Einstellungen.ACMP Server.WebHome\|\|anchor="HEnde-zu-Ende-VerschlFCsselung"]] section.
2.2	69	{{/aagon.infobox}}
	70
16.1	71	Within the previously registered application, navigate to //Certificates & Secrets//. In the details section, click the //Certificates// tab and upload the certificate you created earlier.
2.2	72
16.1	73	[[Upload certificates>>image:67_Microsoft 365_Zertifikat hochladen_3356.png]]
2.2	74
16.1	75	A field will open on the right-hand side for you to upload the certificate. Browse to the appropriate directory and upload the file, then enter an optional description for the certificate. Click //Add// and the certificate will be saved for the application.
2.2	76
	77	{{aagon.infobox}}
16.1	78	Please note that only .cer, .pem and .crt file types are supported when uploading a certificate.
2.2	79	{{/aagon.infobox}}
2.3	80
	81
16.1	82	[[Uploaded certificate in Microsoft Entra>>image:67_Microsoft 365_Hochgeladenes Zertifikat in Entra_3052.png]]
2.3	83
16.1	84	== Adding a secret client key ==
2.3	85
16.1	86	The secret client key is a string of characters used by the enterprise application as an authentication key or proof of identity when requesting the token. To do this, go to the //Certificates & Secrets// section of the registered application. In the details, click on the //Secret Client Keys// tab and create a new key.
2.3	87
16.1	88	[[Adding a news client key>>image:67_Microsoft 365_Neuen Clientschlüssel hinterlegen_3052.png]]
2.3	89
16.1	90	When creating a new secret client key, you will be given the option to configure the validity period. Please note that when the validity period expires, a new key must be created and saved.
2.3	91
16.1	92	[[Adding a secret client key>>image:67_Microsoft 365_Geheimen Clientschlüssel hinzufügen_3052.png]]
2.3	93
	94	{{aagon.infobox}}
16.1	95	You will need the created secret client key when setting up Microsoft 365 to create new portals in the ACMP console. Therefore, save the secret client key so that you can access it later.
2.3	96	{{/aagon.infobox}}
	97
16.1	98	= Settings for Microsoft 365 =
2.3	99
16.1	100	The //Microsoft 365// section provides an overview of the portals you have saved and from which you want to import information.
2.3	101
16.1	102	== Managing Micrsoft 365 portals ==
2.3	103
16.1	104	To manage the portals, in the open ACMP console, navigate to //System// > //Settings// > //Licence// //Management// > //Microsoft// //365//. The view is split into two parts. On the left, you will see the action fields where you can add ([[image:1731318667592-246.png]]), edit ([[image:1731318667592-758.png]]) or delete ([[image:1731318667592-156.png]]) the Microsoft 365 portals. At the bottom is a list of all the existing portals that you have previously created. On the right, you can see the details of the portal you selected.
2.3	105
16.1	106	[[Microsoft 365 portals overview>>image:67_M365_Hinzugefügtes Portal_1361.png]]
2.3	107
16.1	108	== Add a Microsoft 365 portal ==
2.4	109
16.1	110	To add a new portal, click the //Add// button ([[image:1731318849239-880.png]]) in the toolbar. A wizard will open to guide you through the next steps. First, under //General//, enter a name for the portal. Note that the portal name is used as a prefix for the imported licences and products and must be unique. Optionally, you can enter a description if you wish to provide additional information. Otherwise, click //Next >// to proceed.
2.4	111
16.1	112	[[General information when adding a Microsoft 365 portal>>image:67_M365_Wizard Allgemein_965.png]]
2.4	113
16.1	114	Now enter the Application ID (Client) and Directory ID (Client) in the fields provided. This information refers to the information provided in the Microsoft Entra ID (see Application Properties).
2.4	115
	116	{{aagon.infobox}}
16.1	117	The Application ID (Client) is the ID of the registered application. The Directory ID (Client) indicates which client it is running under.
2.4	118	{{/aagon.infobox}}
	119
16.1	120	Then select the type of authentication you want to use for the connection information. You can choose between //Certificate// and //Client Secret Key//.
2.4	121
16.1	122	=== Certificate ===
2.4	123
16.1	124	Select the //Certificate// authentication type and click the //Add// button. A new window will open where you must enter the public and private keys. To do this, click on the button [[image:1731318914156-387.png]] uand insert the appropriate key that you used earlier [[prepare the Microsoft Entra ID>>doc:\|\|anchor="HVorbereitungenfFCrdieMicrosoftEntraID"]] Click //OK// to complete this step.
2.4	125
16.1	126	[[Adding a client certificate>>image:67_M365_Client Zertifikat hinzufügen_508.png]]
2.4	127
16.1	128	If you want to delete the certificate, click //Remove//.
2.4	129
16.1	130	=== Secret client key ===
2.4	131
16.1	132	To add a secret client key, you have to click on the button of the same name below the selection. A new window will open in which you have to enter the secret ID and the value of the secret client key. You also have to specify a validity period. Exit the step by clicking on //OK //and returning to the wizard.
2.4	133
16.1	134	[[Adding the secret client key>>image:67_M365_Geheimen Clientschlüssel hinzufügen_508.png]]
2.4	135
16.1	136	[[Connection information for the Microsoft 365 portal>>image:67_M365_Microsoft 365 Portal hinzufügen Verbindungsinformationen_965.png]]
2.4	137
16.1	138	Depending on the authentication type you have chosen, the corresponding fields will be filled in. In this explanation, the authentication type //Certificate// was used.
2.4	139
16.1	140	Check your connection by clicking //Test connection//. This will help you ensure that the information you have entered so far has been correctly inserted. Click //Next >// to continue with the exclusions for the import.
2.4	141
16.1	142	Here you have the option of excluding irrelevant licences from the import. The wizard page is divided into two: On the left side, you will find a list of all available licences. By enabling the checkbox below, you can display only the licences subscribed to in the portal.
2.4	143
16.1	144	Now drag all the items you want to exclude for the import to the right side ([[image:1731319034566-617.png]])). The items will be explicitly excluded for the upcoming import. You can remove excluded licences from the list by clicking the button([[image:1731319034566-751.png]]).
2.4	145
16.1	146	[[Exclusions for the import>>image:67_M365_Ausschlüsse für den Import_965.png]]
2.4	147
16.1	148	Finish the wizard by clicking //Done//. You will return to the overview page within the ACMP settings, where the new portal has been added to the list.
2.4	149
16.1	150	[[Added portal in the Microsoft 365 settings>>image:67_M365_Hinzugefügtes Portal_1361.png]]
2.4	151
16.1	152	== Editing or deleting Microsoft 365 portals ==
2.5	153
16.1	154	Existing Microsoft 365 portals can be edited or deleted. If you want to edit an existing portal, for example to change the authentication type or the licenses excluded from the import, click the //Edit //button ([[image:1731319340289-250.png]]). A window will open where you can customise the information that is now available. The information is divided into three tabs: //General//, //Connection Information //and //Exclusions for Import//. Change the desired information and then click //Save//.
2.5	155
	156	{{aagon.infobox}}
16.1	157	When making any changes, follow the procedure described in the section [[Adding Microsoft 365 portals>>doc:\|\|anchor="HMicrosoft365PortalhinzufFCgen"]] and note the information provided.
2.5	158	{{/aagon.infobox}}
2.6	159
4.2	160	{{aagon.infobox}}
16.1	161	If you subsequently exclude licences from an import, you may have to manually delete licences that have already been imported and the associated product in the licence management.
4.2	162	{{/aagon.infobox}}
	163
16.1	164	To delete a portal, simply click the //Delete //button// //([[image:1731319500514-463.png]]) and confirm the action
4.2	165
	166	{{aagon.infobox}}
16.1	167	After deleting the portal, already imported licenses and products remain. These must be deleted manually in License Management.
4.2	168	{{/aagon.infobox}}
	169
16.1	170	= Licenses, products and compliance =
4.2	171
16.1	172	The execution of two [[server tasks>>doc:ACMP.67.ACMP-Solutions.System.Einstellungen.ACMP Server.WebHome\|\|anchor="HGeplanteServeraufgaben"]] is required to import licenses and products and to calculate the status:
4.2	173
16.1	174	\|Server task\|Description
	175	\|1. Import Microsoft 365 licence data\|The server task imports the Microsoft 365 licence and product data for License Management and creates the licences and products.
	176	\|2. Recalculation of the data for the compliance view\|The compliance data is recalculated to determine the consumers and the status of the licence.
4.2	177
	178	{{aagon.infobox}}
16.1	179	The execution interval of the Scheduled Server Tasks depends on the configured start condition. You can view the status of the server jobs using the [[Server Monitor>>doc:ACMP.67.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Monitore.WebHome\|\|anchor="HServermonitor"]].
4.2	180	{{/aagon.infobox}}
	181
16.1	182	The licences, products and required contacts are created when the data is imported. The compliance recalculation is used to calculate the status.
4.2	183
	184	{{aagon.infobox}}
16.1	185	The new contacts can be accessed from the [[Master Data>>doc:ACMP.67.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Stammdaten.WebHome]] (//Master Data //> //Contacts//). The contacts are required to complete the compliance calculation at the end and to record them as licence users and link them to the appropriate licences and products.
4.2	186	{{/aagon.infobox}}
	187
16.1	188	For more detailed information on products and licences, navigate to Licence Management.
4.2	189
	190	{{aagon.infobox}}
16.1	191	All licence and product data from the portal is read-only and cannot be edited. The Microsoft 365 portal is the leading system and cannot be changed by the administrator.
4.2	192	{{/aagon.infobox}}
	193
16.1	194	[[Read linked product from licence>>image:67_M365_Lizenzen Verknüpfte Produkte_1831.png]]
4.2	195
16.1	196	== Products ==
4.2	197
16.1	198	Products are created on initial creation in the following output directory //Microsoft 365// > //Portal name// (here: Microsoft 365 Portal). Products can be dragged and dropped into other directories as required. The product name is made up of the portal name (prefix) and the licence title.
4.2	199
16.1	200	[[Reading Microsoft 365 portal products>>image:67_M365_Produkte markiert_1280.png]]
4.2	201
	202	{{aagon.infobox}}
16.1	203	There is a new automatic consumer (type: Microsoft 365) to correctly identify consumers. This is only used for Microsoft 365 imports and is not available for selection when manually creating a product
4.2	204	{{/aagon.infobox}}
	205
16.1	206	== Manually start recalculating compliance ==
4.2	207
16.1	208	The compliance recalculation runs as a server task every five hours by default, thus keeping the data comparison up to date. If you want to start a recalculation independently of this and out of sequence, you can do so via //License Management //> //Compliance //> //Recalculate //> //Recalculate Completely//. Click on the button in the ribbon bar and start the recalculation manually. The function first starts a new import of the current Microsoft 365 data. Depending on the data in the licence management, the execution of the recalculation may take some time. If there are already products in compliance, these will be updated and the associated status will be checked and customised if necessary.
4.2	209
16.1	210	== Status //Producat cannot be synchronised// ==
4.2	211
16.1	212	When recalculating compliance, the status of the products and licenses is compared. If, during the import of Microsoft 365 data, it is not possible to update data for a product or license that has already been imported, this is indicated by the new status [[image:1731319766843-853.png]]// Product cannot be synchronised//.
4.2	213
16.1	214	[[Licence status 'Product cannot be synchronised'>>image:67_M365_Lizenzstatus.png]]
4.2	215
16.1	216	There can be three reasons for this status:
4.2	217
16.1	218	\|Reason\|Description\|Solution
	219	\|The product and/or license no longer exists in the Microsoft 365 portal. \|The product and/or license has been deleted from the Microsoft 365 portal, which is why there is no connection between the ACMP Server and the product/license.\|The products and/or licenses can be deleted from ACMP. Select the corresponding items and remove them by clicking on //Delete //in the ribbon bar.
	220	\|The license was defined retrospectively for the exclusion.\|A license was subsequently excluded from import because changes were made to an existing portal.\|(((
	221	If you no longer require the newly added licence exclusion on the portal, you must delete the imported license and the products.
4.2	222
16.1	223	If the newly added exclusion was the result of a misconfiguration when editing the portal, you can edit the portal again and remove the exclusion. The next time the Microsoft 365 import is executed, the data will be updated again automatically. After recalculating compliance, the status will now be displayed correctly.
	224	)))
	225	\|The portal has been deleted.\|The complete portal has been deleted from the settings and no longer exists.\|If you have deleted the portal in the ACMP settings, you must manually delete the already imported products and licenses from the License Management.
4.2	226
	227	{{aagon.infobox}}
16.1	228	You can find out more about the different statuses of the licenses [[here>>doc:ACMP.67.ACMP-Solutions.Lizenzmanagement.Compliance.WebHome\|\|anchor="HStatusderLizenzen"]].
4.2	229	{{/aagon.infobox}}
14.1	230
16.1	231	= Error messages when accessing the Microsoft 365 GraphAPI =
14.1	232
16.1	233	An access token is required to access the Microsoft 365 GraphAPI. This token is generated by the scheduled server task when importing Microsoft 365 data for each configured portal. If there are problems generating the token, this will be displayed as an error message in the log. You can find the corresponding entry in the [[Server Monitor>>doc:ACMP.67.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Monitore.WebHome\|\|anchor="HServermonitor"]].
14.1	234
16.1	235	Generally, there are two basic errors that can occur:
14.1	236
16.1	237	1. An error reported by the GraphAPI was generated by the corresponding web server.
	238	1. An error occurred during the connection from the ACMP Server to the GraphAPI or during the evaluation of the GraphAPI response.
14.1	239
16.1	240	The following are some detailed error messages that may appear on your system:
14.1	241
16.1	242
14.1	243	\|(((
16.1	244	Error message
14.1	245	)))\|(((
16.1	246	Error log
14.1	247	)))
	248	\|(((
	249	Die GraphAPI meldet einen Fehler und eine Fehlerbeschreibung.
	250	)))\|(((
16.1	251	The ACMP Server could reach the Microsoft GraphAPI and received an error.
14.1	252
16.1	253	The error descriptions come from Microsoft and indicate the type of error reported by the Microsoft GraphAPI.
14.1	254	)))
	255	\|(((
	256	„Could not connect to GraphAPI server.“
	257	)))\|(((
16.1	258	The ACMP Server could not establish a connection to the Microsoft GraphAPI.
14.1	259
16.1	260	Solution: Check if you have released the [[necessary URLs>>doc:ACMP.67.ACMP installieren.Checkliste zur Installation.WebHome\|\|anchor="HErforderlicheURLs"]] for your environment.
14.1	261	)))
	262	\|(((
	263	„GraphAPI webcall returned success but information could not be deserialized.“
	264	)))\|(((
16.1	265	The ACMP Server was able to establish a connection and the remote station reported a success (HTTP status 200), but the delivered response could not be successfully evaluated. It is possible that the format is different than expected.
14.1	266
16.1	267	A possible source of error is when a system retains information in the cache and returns it as a response. For example, check your proxy settings to see if the ACMP Server has stored the correct configurations to resolve the URL. If you have excluded this, please contact our Support.
14.1	268	)))
	269	\|(((
	270	„GraphAPI webcall returned failure but error information could not be deserialized.“
	271	)))\|(((
16.1	272	The ACMP Server was able to establish a connection successfully, but the remote station reports an error. The response could not be evaluated
14.1	273
16.1	274	Solution: Check if the [[firewall/proxy settings>>doc:ACMP.67.ACMP installieren.Checkliste zur Installation.WebHome\|\|anchor="HErforderlicheURLs"]] are configured correctly or whether you have something else in the network that is intercepting or blocking the communication.. If this has been excluded by you, please contact our Support.
14.1	275	)))
	276	\|(((
	277	„Thumbprint from public key could not be read.“
	278	)))\|(((
16.1	279	This error only occurs if you have used the certificate as the authentication method.
14.1	280
16.1	281	In this case, the ACMP Server tries to generate a JSON Web Token for the GraphAPI. The fingerprint of the certificate's public key must be noted. An error occurred when reading this value.
14.1	282
16.1	283	Solution: When the error occurs, reinstall the certificate.
14.1	284	)))
	285	\|(((
	286	„JSON Web Token generation for authentication with GraphAPI failed.“
	287	)))\|(((
16.1	288	This error only occurs if you have used the certificate as the authentication method.
14.1	289
16.1	290	The ACMP Server tries to sign a JSON Web Token for the GraphAPI with the certificate's private key. An error occurs.
14.1	291
16.1	292	Solution: This may be an expired certificate. Either create a new certificate or re-import the certificate when the error occurs.
14.1	293	)))