Changes for page Microsoft 365

Last modified by Sabrina V. on 2025/05/15 12:38

From 1.4 to 1.3

From version 6.1

edited by Sabrina V.
on 2025/05/15 12:38

Change comment: There is no comment for this version

To version 1.4

edited by Sabrina V.
on 2025/02/13 10:11

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

@@ -1,10 +1,100 @@
  {{aagon.floatingbox/}}
--= Register preparations for Microsoft Entra ID and enterprise application =
++= Preparing for the Microsoft Entra ID =
--To use Microsoft 365, you must first navigate to the Microsoft Entra Admin Centre, register a business application, and grant the necessary permissions within that application. These steps are necessary to allow ACMP to access and import the required Microsoft 365 data. Detailed instructions on how to do this can be found [[here>>doc:ACMP.68.Unternehmensanwendung registrieren in der Microsoft Entra ID.WebHome]], along with all the permissions you will need to grant.
++To use Microsoft 365, you must first navigate to the Microsoft Entra Admin Centre, register an enterprise application, and grant the necessary permissions within that application. These steps are necessary for ACMP to access and import the required Microsoft 365 data.
++== Register an Enterprise Application ==
++First, log in to your [[Microsoft Entra ID>>url:https://aad.portal.azure.com/]] . Click the //Manage// tab > //Enterprise Applications// and create a new application registration.
++
++[[Application registrations in Microsoft Entra ID>>image:67_Microsoft 365_App-Registrierung in der Entra_2910.png]]
++
++Enter all required information: Enter an application name and select the accounts to support. Click //Register// to complete the process.
++
++[[Registering an application>>image:67_Microsoft 365_Anwendung registrieren_2262.png]]
++
++When you open the created application, you will see a summary of the information added. You will need the application and directory ID from this for the next step when you create a new portal for Microsoft 365.
++
++[[Application information summary>>image:67_Microsoft 365_Zusammenfassung der Anwendungsinformationen_3344.png]]
++
++== Distribute permissions ==
++
++Next, grant the required permissions to the business application so that the interface can be accessed. To do this, go to the Permissions section within the registered application (//Security// > //Permissions//).
++
++[[Permissions>>image:67_Microsoft 365_Berechtigungen_2720.png]]
++
++Click //Add Permission//. This will open a page where you can request API permissions. In this step you need to select Microsoft Graph.
++
++[[API Permissions: Request Microsoft Graph>>image:67_Microsoft 365_Microsoft Graph_1284.png||data-xwiki-image-style-alignment="center" height="822" width="650"]]
++
++**Only the application permissions are required to use Microsoft 365. Add the following values one at a time and repeat the process until both list entries are added:**
++
++* **User.Read.All (Type: Application)**
++* **Organisation.Read.All (Type: Application)**
++
++{{aagon.warnungsbox}}
++You only need to assign the application permissions, not the delegated permissions!
++{{/aagon.warnungsbox}}
++
++[[Assigning application permissions>>image:67_Microsof 365_Anwendungen verteilen_Umrandung_3822.png||alt="67_Microsof 365_Anwendungen verteilen_3822.png"]]
++
++Once you have selected both permissions, click //Add Permissions//. You will see the entries in the overview.
++
++[[Assigned privileges (without consent)>>image:67_Microsoft 365_Verteilte Berechtigungen (ohne Einwilligung)_2818.png]]
++
++You may need to grant permissions if you have not already done so. To do this, click on the //'Grant administrator consent for %your company%//' field. This will change the status and provide user consent.
++
++[[Approved permissions>>image:67_Microsoft 365_Verteilte Berechtigungen (ohne Einwilligung)_2818.png]]
++
++= Upload private client keys or certificates =
++
++When you first set up Microsoft 365, you need to specify authentication types. You can choose from two methods supported by the Microsoft Client Credentials Provider: //certificates// or //secret client keys//.
++
++{{aagon.infobox}}
++The procedure is different depending on the authentication type you choose. Read below to find out what to do for each method.
++{{/aagon.infobox}}
++
++== Upload a certificate ==
++
++{{aagon.infobox}}
++Because of the higher level of security, Microsoft recommends that you use a certificate as your credential.
++{{/aagon.infobox}}
++
++Certificates can be used as an authentication method to log in to Microsoft Entra ID. A certificate always consists of a public and a private part, where the public key is loaded directly into the Microsoft Entra ID. Both parts will be needed later when you can add the certificate to the connection information to create a new portal. This certificate pair must be created beforehand. Read on to find out how to create a certificate using [[Microsoft>>url:https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal]] or [[Open SSL>>url:https://stackoverflow.com/questions/6307886/how-to-create-pfx-file-from-certificate-and-private-key]].
++
++{{aagon.infobox}}
++The PKCS#12 or PFX/P12 format is often used for certificates. This is not supported by ACMP because the certificate and key file are combined in one file. However, you can use the OpenSSL commands openssl pkcs12 -in path.p12 -out newfile.crt -clcerts –nokeys to generate two files from the file for the certificate and openssl pkcs12 -in path.p12 -out newfile.pem -nocerts –nodes for the private key.
++For more information, see the [[Managing certificates>>doc:ACMP.67.ACMP-Solutions.System.Einstellungen.ACMP Server.WebHome||anchor="HEnde-zu-Ende-VerschlFCsselung"]] section.
++{{/aagon.infobox}}
++
++Within the previously registered application, navigate to //Certificates & Secrets//. In the details section, click the //Certificates// tab and upload the certificate you created earlier.
++
++[[Upload certificates>>image:67_Microsoft 365_Zertifikat hochladen_3356.png]]
++
++A field will open on the right-hand side for you to upload the certificate. Browse to the appropriate directory and upload the file, then enter an optional description for the certificate. Click //Add// and the certificate will be saved for the application.
++
++{{aagon.infobox}}
++Please note that only .cer, .pem and .crt file types are supported when uploading a certificate.
++{{/aagon.infobox}}
++
++
++[[Uploaded certificate in Microsoft Entra>>image:67_Microsoft 365_Hochgeladenes Zertifikat in Entra_3052.png]]
++
++== Adding a secret client key ==
++
++The secret client key is a string of characters used by the enterprise application as an authentication key or proof of identity when requesting the token. To do this, go to the //Certificates & Secrets// section of the registered application. In the details, click on the //Secret Client Keys// tab and create a new key.
++
++[[Adding a news client key>>image:67_Microsoft 365_Neuen Clientschlüssel hinterlegen_3052.png]]
++
++When creating a new secret client key, you will be given the option to configure the validity period. Please note that when the validity period expires, a new key must be created and saved.
++
++[[Adding a secret client key>>image:67_Microsoft 365_Geheimen Clientschlüssel hinzufügen_3052.png]]
++
++{{aagon.infobox}}
++You will need the created secret client key when setting up Microsoft 365 to create new portals in the ACMP console. Therefore, save the secret client key so that you can access it later.
++{{/aagon.infobox}}
++
  = Settings for Microsoft 365 =
  The //Microsoft 365// section provides an overview of the portals you have saved and from which you want to import information.
@@ -13,7 +13,7 @@
  To manage the portals, in the open ACMP console, navigate to //System// > //Settings// > //Licence// //Management// > //Microsoft// //365//. The view is split into two parts. On the left, you will see the action fields where you can add ([[image:1731318667592-246.png]]), edit ([[image:1731318667592-758.png]]) or delete ([[image:1731318667592-156.png]]) the Microsoft 365 portals. At the bottom is a list of all the existing portals that you have previously created. On the right, you can see the details of the portal you selected.
--[[Microsoft 365 portals overview>>image:68_M365_Hinzugefügtes Portal_1361.png||alt="67_M365_Hinzugefügtes Portal_1361.png"]]
++[[Microsoft 365 portals overview>>image:67_M365_Hinzugefügtes Portal_1361.png]]
  == Add a Microsoft 365 portal ==
@@ -57,7 +57,7 @@
  Finish the wizard by clicking //Done//. You will return to the overview page within the ACMP settings, where the new portal has been added to the list.
--[[Added portal in the Microsoft 365 settings>>image:68_M365_Hinzugefügtes Portal_1361.png||alt="67_M365_Hinzugefügtes Portal_1361.png"]]
++[[Added portal in the Microsoft 365 settings>>image:67_M365_Hinzugefügtes Portal_1361.png]]
  == Editing or deleting Microsoft 365 portals ==
@@ -79,7 +79,7 @@
  = Licenses, products and compliance =
--The execution of two [[server tasks>>doc:ACMP.68.ACMP-Solutions.System.Einstellungen.ACMP Server.WebHome||anchor="HGeplanteServeraufgaben"]] is required to import licenses and products and to calculate the status:
++The execution of two [[server tasks>>doc:ACMP.67.ACMP-Solutions.System.Einstellungen.ACMP Server.WebHome||anchor="HGeplanteServeraufgaben"]] is required to import licenses and products and to calculate the status:
  |**Server task**|**Description**
  |1. Import Microsoft 365 licence data|The server task imports the Microsoft 365 licence and product data for License Management and creates the licences and products.
@@ -86,13 +86,13 @@
  |2. Recalculation of the data for the compliance view|The compliance data is recalculated to determine the consumers and the status of the licence.
  {{aagon.infobox}}
--The execution interval of the Scheduled Server Tasks depends on the configured start condition. You can view the status of the server jobs using the [[Server Monitor>>doc:ACMP.68.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Monitore.WebHome||anchor="HServermonitor"]].
++The execution interval of the Scheduled Server Tasks depends on the configured start condition. You can view the status of the server jobs using the [[Server Monitor>>doc:ACMP.67.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Monitore.WebHome||anchor="HServermonitor"]].
  {{/aagon.infobox}}
  The licences, products and required contacts are created when the data is imported. The compliance recalculation is used to calculate the status.
  {{aagon.infobox}}
--The new contacts can be accessed from the [[Master Data>>doc:ACMP.68.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Stammdaten.WebHome]] (//Master Data //> //Contacts//). The contacts are required to complete the compliance calculation at the end and to record them as licence users and link them to the appropriate licences and products.
++The new contacts can be accessed from the [[Master Data>>doc:ACMP.67.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Stammdaten.WebHome]] (//Master Data //> //Contacts//). The contacts are required to complete the compliance calculation at the end and to record them as licence users and link them to the appropriate licences and products.
  {{/aagon.infobox}}
  For more detailed information on products and licences, navigate to Licence Management.
@@ -101,13 +101,13 @@
  All licence and product data from the portal is read-only and cannot be edited. The Microsoft 365 portal is the leading system and cannot be changed by the administrator.
  {{/aagon.infobox}}
--[[Read linked product from licence>>image:68_M365_Lizenzen Verknüpfte Produkte_1831.png||alt="67_M365_Lizenzen Verknüpfte Produkte_1831.png"]]
++[[Read linked product from licence>>image:67_M365_Lizenzen Verknüpfte Produkte_1831.png]]
  == Products ==
  Products are created on initial creation in the following output directory //Microsoft 365// > //Portal name// (here: Microsoft 365 Portal). Products can be dragged and dropped into other directories as required. The product name is made up of the portal name (prefix) and the licence title.
--[[Reading Microsoft 365 portal products>>image:68_M365_Produkte markiert_1280.png||alt="67_M365_Produkte markiert_1280.png"]]
++[[Reading Microsoft 365 portal products>>image:67_M365_Produkte markiert_1280.png]]
  {{aagon.infobox}}
  There is a new automatic consumer (type: Microsoft 365) to correctly identify consumers. This is only used for Microsoft 365 imports and is not available for selection when manually creating a product
@@ -135,69 +135,68 @@
  |The portal has been deleted.|The complete portal has been deleted from the settings and no longer exists.|If you have deleted the portal in the ACMP settings, you must manually delete the already imported products and licenses from the License Management.
  {{aagon.infobox}}
--You can find out more about the different statuses of the licenses [[here>>doc:ACMP.68.ACMP-Solutions.Lizenzmanagement.Compliance.WebHome||anchor="HStatusderLizenzen"]].
++You can find out more about the different statuses of the licenses [[here>>doc:ACMP.67.ACMP-Solutions.Lizenzmanagement.Compliance.WebHome||anchor="HStatusderLizenzen"]].
  {{/aagon.infobox}}
--= Error messages when accessing the Microsoft 365 GraphAPI =
++= Fehlermeldungen beim Zugriff auf die Microsoft 365 GraphAPI =
--An access token is required to access the Microsoft 365 GraphAPI. This token is generated by the scheduled server task when importing Microsoft 365 data for each configured portal. If there are problems generating the token, this will be displayed as an error message in the log. You can find the corresponding entry in the [[Server Monitor>>doc:ACMP.68.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Monitore.WebHome||anchor="HServermonitor"]].
++Beim Zugriff auf die Microsoft 365 GraphAPI wird ein sogenannter Access Token benötigt. Dieser Token wird von der geplanten Serveraufgabe beim Import der Microsoft 365 Daten für jedes konfigurierte Portal generiert. Sollte es beim Generieren des Tokens zu Problemen kommen, wird Ihnen dies als Fehlermeldung im Log angezeigt. Den Eintrag dazu finden Sie im [[Servermonitor>>doc:ACMP.67.Arbeiten mit der ACMP Console.Aufbau der Console.Ribbonleiste.Monitore.WebHome||anchor="HServermonitor"]].
--Generally, there are two basic errors that can occur:
++Generell gibt es zwei grundsätzliche Fehler, die auftreten können:
--1. An error reported by the GraphAPI was generated by the corresponding web server.
--1. An error occurred during the connection from the ACMP Server to the GraphAPI or during the evaluation of the GraphAPI response.
++1. Ein von der GraphAPI gemeldeter Fehler wurde vom entsprechenden Webserver generiert.
++1. Es ist zu einem Fehler gekommen, der bei der Verbindung vom ACMP Server zur GraphAPI oder bei der Auswertung der Antwort der GraphAPI aufgetreten ist.
--The following are some detailed error messages that may appear on your system:
++Nachfolgend einige detaillierte Fehlermeldungen, die bei Ihnen erscheinen können:
--
  |(((
--**Error message**
++**Fehlermeldung **
  )))|(((
--**Error log**
++**Fehlerbeschreibung **
  )))
  |(((
  Die GraphAPI meldet einen Fehler und eine Fehlerbeschreibung.
  )))|(((
--The ACMP Server could reach the Microsoft GraphAPI and received an error.
++Der ACMP Server konnte die Microsoft GraphAPI erreichen und bekam einen Fehler gemeldet.
--The error descriptions come from Microsoft and indicate the type of error reported by the Microsoft GraphAPI.
++Die Fehlerbeschreibungen stammen von Microsoft und geben die Art des Fehlers wieder, die von der Microsoft GraphAPI gemeldet wurde.
  )))
  |(((
  „Could not connect to GraphAPI server.“
  )))|(((
--The ACMP Server could not establish a connection to the Microsoft GraphAPI.
++Der ACMP Server konnte keine Verbindung zur Microsoft GraphAPI aufbauen.
--**Solution**: Check if you have released the [[necessary URLs>>doc:ACMP.68.ACMP installieren.Checkliste zur Installation.WebHome||anchor="HErforderlicheURLs"]] for your environment.
++**Lösung**: Überprüfen Sie, ob Sie die [[notwendigen URLs>>doc:ACMP.67.ACMP installieren.Checkliste zur Installation.WebHome||anchor="HErforderlicheURLs"]] für Ihre Umgebung freigegeben haben.
  )))
  |(((
  „GraphAPI webcall returned success but information could not be deserialized.“
  )))|(((
--The ACMP Server was able to establish a connection and the remote station reported a success (HTTP status 200), but the delivered response could not be successfully evaluated. It is possible that the format is different than expected.
++Der ACMP Server konnte eine Verbindung aufbauen und die Gegenstelle meldete einen Erfolg (HTTP Status 200), allerdings konnte die gelieferte Antwort nicht erfolgreich ausgewertet werden. Hier kann es sein, dass das Format ein anderes ist, als erwartet.
--A possible source of error is when a system retains information in the cache and returns it as a response. For example, check your proxy settings to see if the ACMP Server has stored the correct configurations to resolve the URL. If you have excluded this, please contact our Support.
++Mögliche Fehlerquelle ist, wenn ein System Informationen im Cache behält und diese als Antwort zurückliefert. Überprüfen Sie beispielsweise Ihre Proxyeinstellungen, ob der ACMP Server die richtigen Konfigurationen hinterlegt hat, um die URL auflösen zu können. Sollte das von Ihnen ausgeschlossen worden sein, wenden Sie sich bitte an unseren Support.
  )))
  |(((
  „GraphAPI webcall returned failure but error information could not be deserialized.“
  )))|(((
--The ACMP Server was able to establish a connection successfully, but the remote station reports an error. The response could not be evaluated
++Der ACMP Server konnte erfolgreich eine Verbindung aufbauen, jedoch meldet die Gegenstelle einen Fehler. Die gelieferte Antwort konnte nicht ausgewertet werden.
--**Solution**: Check if the [[firewall/proxy settings>>doc:ACMP.68.ACMP installieren.Checkliste zur Installation.WebHome||anchor="HErforderlicheURLs"]] are configured correctly or whether you have something else in the network that is intercepting or blocking the communication.. If this has been excluded by you, please contact our Support.
++**Lösung**: Überprüfen Sie, ob die[[ Firewall/Proxy Einstellungen>>doc:ACMP.67.ACMP installieren.Checkliste zur Installation.WebHome||anchor="HErforderlicheURLs"]] richtig konfiguriert sind.  Sollte das von Ihnen ausgeschlossen worden sein, wenden Sie sich bitte an unseren Support.
  )))
  |(((
  „Thumbprint from public key could not be read.“
  )))|(((
--This error only occurs if you have used the certificate as the authentication method.
++Dieser Fehler tritt ausschließlich auf, wenn Sie als Authentifizierungsmethode das Zertifikat verwendet haben.
--In this case, the ACMP Server tries to generate a JSON Web Token for the GraphAPI. The fingerprint of the certificate's public key must be noted. An error occurred when reading this value.
++In diesem Fall versucht der ACMP Server einen JSON Web Token für die GraphAPI zu generieren. Hierbei muss der Fingerabdruck des öffentlichen Schlüssels des Zertifikats vermerkt werden. Beim Auslesen dieses Wertes trat ein Fehler auf.
--**Solution**: When the error occurs, reinstall the certificate.
++**Lösung**: Spielen Sie beim Auftreten des Fehlers das Zertifikat neu ein.
  )))
  |(((
  „JSON Web Token generation for authentication with GraphAPI failed.“
  )))|(((
--This error only occurs if you have used the certificate as the authentication method.
++Dieser Fehler tritt ausschließlich auf, wenn Sie als Authentifizierungsmethode das Zertifikat verwendet haben.
--The ACMP Server tries to sign a JSON Web Token for the GraphAPI with the certificate's private key. An error occurs.
++Der ACMP Server versucht einen JSON Web Token für die GraphAPI mit dem privaten Schlüssel des Zertifikats zu signieren. Hierbei tritt ein Fehler auf.
--**Solution**: This may be an expired certificate. Either create a new certificate or re-import the certificate when the error occurs.
++**Lösung**: Möglicherweise kann es sich um ein abgelaufenes Zertifikat handeln. Legen Sie entweder ein neues Zertifikat an oder spielen Sie beim Auftreten des Fehlers das Zertifikat erneut ein.
  )))