Connect sapio365 to your tenant

After successfully installing sapio365 on your machine, connect to your Microsoft 365 environment by creating a new session.

Click on ‘New Session’ and follow the Microsoft’s authentication prompts to create a User session.
See step-by-step instructions on this page.

The summary below explains the types of sessions available in sapio365.

An App session is a session type available as an option after you’ve created a User Session.

Connect to your M365 data

New Session (User Session)	App session (Optional)
Adds sapio365 app to your list of enterprise applications: Ytria sapio365 - with Admin Consent.	This option is offered to sapio365 users who wish to use an application to connect to Microsoft instead of their user credentials.
Requires “Admin Consent” to the app’s permissions.	Creation is possible only in a qualified User Session.
Includes option to elevate privileges to maximize access to data including content of all mailboxes and SharePoint Online sites. Elevating a session creates a custom-named registered application in your tenant.	Requires global admin Microsoft 365 role or a sapio365 General Manager role, and a sapio365 Access App sessions role.
Required for Partner Access connection to customer tenants (for Managed Service Providers).	Creates a custom-named registered application in your tenant. You can add or remove permissions for this registered app in Azure Active Directory.
Required to use with an assigned sapio365 RBAC role.	Certain sapio365 features are not supported in an App session due to lack of Microsoft Graph API support. This includes: access to group calendars and delivery management for M365 groups. sapio365 features using PowerShell can be used without signing in if switching from secret to certificate authentication and enabling Online Exchange PowerShell in the app configuration.

Choose your session based on your role or need

I'm a global admin

Since you have global admin privileges, you can elevate your privileges to extend your data access using both delegated and application permissions privileges.

An elevated session means you will be able to access data like mailboxes, group and SharePoint site content without having to add yourself as an owner or group member.

Click here to learn more about using a session with elevated privileges.

I'm not a global admin

If a global admin has consented tenant-wide to the permissions of the sapio365 application, then create a user session to leverage sapio365's extended reach of the data you already have access to.
If you cannot obtain consent from a global admin, then you cannot use sapio365.

Your privileges remain the same as in Microsoft 365 but you will have the benefits of sapio365's global vision, bulk editing and automation.

I have access to the Microsoft Partner Center

If you have been given access to your customers' environment through the Microsoft Partner Center, simply create a user session and click on Partner Access to view and select from your list of customers to access customer tenant data. See how to do this on this page.

Make sure that a global admin of that tenant has give consent to the sapio365 application.

I have been assigned a role in sapio365 RBAC

Start by creating a User session to see a list of the roles assigned to you.

Once you choose a role, a Role-Based Session is created which will give you access to sapio365 features and datasets of users, groups or sites that were previously configured by your sapio365 Role-Based Access Control (RBAC) administrator.

sapio365 roles are independent of the Microsoft roles you have been assigned.

When choosing a role, you have the option to exclude users, groups or sites outside your scope in order to hide them in the FlexyView Grid. If you choose to include them, they will appear greyed out.

Click on Role Info to see the details of the current role or click on Choose Role to switch to another available role.

Note that your actions in sapio365 while in a Role-Based session will be logged specifically as you in the current role.

I want to configure sapio365 role-base access control (RBAC)

You must be a global admin, or you must be assigned to a sapio365 access role that lets you manage RBAC: General Manager (sapio365) or RBAC Configuration Manager.

Click here to learn how to delegate tasks and data access with sapio365 RBAC.

I have a hybrid Microsoft 365 environment (local Active Directory)

sapio365 supports hybrid Microsoft 365 environments. This means that you can retrieve user and group attributes from your local Active Directory associated to your cloud domain.

Loading this data in Users or in Groups will add this on-prem data to the list of Azure Active Directory objects that were initially retrieved.

sapio365 enables you to directly:

Edit attributes directly in the local AD from sapio365
Force sync user accounts and groups

Click here to learn how to connect sapio365 to your local Active Directory.

My Microsoft admin role is subject to limited time use (PIM)

If certain tasks in sapio365 require more time than that allotted to you by PIM, you can create (or ask a global admin) a sapio365 registered application specifically for you by creating an App session.

We recommend one application per user for auditing purposes. The application name can comprise the user’s name when it’s being created.

You must be a global admin to consent to the application’s permissions.

The application’s list of permissions can be modified in Azure Active Directory to extend or to limit access to data for the session using this application.

Click here to learn how to create a sapio365 App session.