Elevate your privileges with a registered application
A sapio365 Advanced session with elevated privileges is different from either a Standard or Advanced session in that the registered application it uses does not require that a 'user' signs in. Also, while those other session types use an Azure Active Directory registration created by Ytria, to elevate privileges of an Advanced session you must use a registered application in your own tenant, based on select Microsoft Graph permission scopes.
To elevate an Advanced Session, sapio365 will let you create an “elevation application” with “application type” permissions. Before sapio365 version 2.1.10, “delegated type” permissions from the Advanced Session were used to perform the majority of actions in sapio365. The “elevation application” was mainly used to handle users' mail and OneDrives.
With the release of 2.1.10, sapio365 now uses the “elevation application” to perform the majority of the actions. The “delegated type” permissions will only be used for some specific actions related to group management.
This will ensure that elevating your Advanced Session will effectively extend your capabilities.
How do I create an Advanced session with privileges?
The quickest way is to automatically create a sapio365 application in your tenant directly from sapio365 (Option 1) by following the prompts or you can create an application directly in your Azure Active Directory (Option 2).
- OPTION 1 - Create application from sapio365 (easier)
- OPTION 2 - Create application at the v2 Azure Active Directory Endpoint
Control and liability
There is no "user" signed in during an Advanced session with elevated privileges, so there are real-life security implications that you should be aware of when setting up your application permissions.
You are registering the application yourself. So you can define the application permissions as you see fit. If you choose, you can register multiple applications, all with different permission profiles.
Any applications you register will be unusable until an administrator has consented to all assigned permission scopes for the application. The permission scopes shown in this document represent the maximum access potential. You can decide for yourself any limits you'd like to place on your Advanced session with elevated privileges. You can modify the permission scopes for the application even after admin consent has been given. Feel free to experiment.
Even after admin consent has been given for the application. sapio365 will require both the application ID and the password.
We highly recommend that you protect all application IDs and passwords so that only eligible users can use Advanced sessions with elevated privileges.
OPTION 1 - Create application from sapio365
The quickest way to create an Advanced session with elevated privileges is to do it right from sapio365. The process creates a new registration with API permissions pre-selected (listed in Option 2, Step 13) for maximum access. You can always add or remove permissions for this application from the Azure portal.
Step 1 In an active Advanced session, click on the ‘Elevate Privileges’ button at the top left.
Step 2 Click on 'Continue' to create the application in your Azure AD (this may take a few minutes).
Step 3 Click on 'Proceed' to continue. You'll only see this dialog box after your first launch of an Advanced session in sapio365.
Step 4 Sign in with your credentials.
Step 5 Consent to the permissions used by the application.
You're now ready to access all mailbox and site content!
OPTION 2 - Create application at the v2 Azure Active Directory Endpoint
To work with an Advanced session with elevated privileges, you'll need a key pair for proper authentication: an app ID that will identify the application and the password provided (see Step 8) which will authenticate the application.
Step 1 Go to the Azure portal login page and sign in with your credentials.
Step 2 Create a new registration
Step 3 Name your application.
Redirect URI (optional): If you choose not to give consent during the registration process (Step 7) and to give consent directly in sapio365, you will need to enter the following URI: https://localhost:33366. This is the default address used by sapio365 to complete the consent process. If you need to enter a different address, you may.
Step 4 Register it.
Step 5 Copy and save the Application ID to enter in sapio365.
Step 6 Add permissions.
Step 7 Click on “User.Read” permission.
Step 8 Remove this permission.
Step 9 Click on “Add permission”.
Step 10 Click on Add permissions.
Step 11 Click on “Microsoft Graph”.
Step 12 Click on “Application permissions”.
Step 13 Select permissions.
In each category, check the required permissions (see the recommended list below) and when finished, click on Add permissions.
You have full flexibility to add whichever permissions you choose. The following list of permission scopes is simply a suggestion. To learn more about these permission scopes, see the Active Directory v.2 Permission Scope Reference Guide.
For a complete experience, the following permission scopes should be assigned:
CalendarsCalendars.ReadWrite
ChannelMessages
Contacts.ReadWrite
Directory.ReadWrite.All
Files.ReadWrite.All
Group.ReadWrite.All
Mail.ReadWrite
MailboxSettings.ReadWrite
Member.ReadHidden
People.Read.All
Reports.Read.All
Sites.FullControl.All
User.ReadWrite.All
If you have opted to consent through the application, skip the next steps and go to step 17.
Step 14 Click “Grant admin consent for ….”
Step 15 Confirm the consent request.
Step 16 You will see a confirmation.
Step 17 Go to “Certificates & secrets”.
Step 18 Click on “New client secret”.
Step 19 Choose an expiration period.
Step 20 Click “Add”.
Step 21 Copy and save the new client secret to use in sapio365.
IMPORTANT: This is the only time you will see your password! sapio365 will not let you retrieve it. Take note of it now and keep it safe.