Skip to main content
Skip table of contents

Elevate your privileges with a registered application

A sapio365 Advanced session with elevated privileges is different from either a Standard or Advanced session in that the registered application it uses does not require that a 'user' signs in. Also, while those other session types use an Azure Active Directory registration created by Ytria, to elevate privileges of an Advanced session you must use a registered application in your own tenant, based on select Microsoft Graph permission scopes.

To elevate an Advanced Session, sapio365 will let you create an “elevation application” with “application type” permissions. Before sapio365 version 2.1.10, “delegated type” permissions from the Advanced Session were used to perform the majority of actions in sapio365. The “elevation application” was mainly used to handle users' mail and OneDrives.

With the release of 2.1.10, sapio365 now uses the “elevation application” to perform the majority of the actions. The “delegated type” permissions will only be used for some specific actions related to group management.

This will ensure that elevating your Advanced Session will effectively extend your capabilities.

How do I create an Advanced session with privileges?

The quickest way is to automatically create a sapio365 application in your tenant directly from sapio365 (Option 1) by following the prompts or you can create an application directly in your Azure Active Directory (Option 2).

Control and liability

There is no "user" signed in during an Advanced session with elevated privileges, so there are real-life security implications that you should be aware of when setting up your application permissions.

You are registering the application yourself. So you can define the application permissions as you see fit. If you choose, you can register multiple applications, all with different permission profiles.

Any applications you register will be unusable until an administrator has consented to all assigned permission scopes for the application. The permission scopes shown in this document represent the maximum access potential. You can decide for yourself any limits you'd like to place on your Advanced session with elevated privileges. You can modify the permission scopes for the application even after admin consent has been given. Feel free to experiment.

Even after admin consent has been given for the application. sapio365 will require both the application ID and the password.

We highly recommend that you protect all application IDs and passwords so that only eligible users can use Advanced sessions with elevated privileges.

OPTION 1 - Create application from sapio365

The quickest way to create an Advanced session with elevated privileges is to do it right from sapio365. The process creates a new registration with API permissions pre-selected (listed in Option 2, Step 13) for maximum access. You can always add or remove permissions for this application from the Azure portal.

Advanced session with elevated privileges-1

Step 1 In an active Advanced session, click on the ‘Elevate Privileges’ button at the top left.

Step 2 Click on 'Continue' to create the application in your Azure AD (this may take a few minutes).

Advanced session with elevated privileges-2-app-consent-info

Step 3 Click on 'Proceed' to continue. You'll only see this dialog box after your first launch of an Advanced session in sapio365.

back to top >

Advanced session with elevated privileges-3-MS-sign-in

Step 4 Sign in with your credentials.

Advanced session with elevated privileges-4-create-app-permissions-consent

Step 5 Consent to the permissions used by the application.

You're now ready to access all mailbox and site content!

back to top >

OPTION 2 - Create application at the v2 Azure Active Directory Endpoint

To work with an Advanced session with elevated privileges, you'll need a key pair for proper authentication: an app ID that will identify the application and the password provided (see Step 8) which will authenticate the application.

Advanced session with elevated privileges-2-1-create-appID-2

Step 1 Go to the Azure portal login page and sign in with your credentials.

Advanced session with elevated privileges-2-2-create-appID-2

Step 2 Create a new registration

Advanced session with elevated privileges-2-3-create-appID-2

back to top >

Step 3 Name your application.

Redirect URI (optional): If you choose not to give consent during the registration process (Step 7) and to give consent directly in sapio365, you will need to enter the following URI: https://localhost:33366. This is the default address used by sapio365 to complete the consent process. If you need to enter a different address, you may.

Step 4 Register it.

Advanced session with elevated privileges-2-4-create-appID-2

Step 5 Copy and save the Application ID to enter in sapio365.

Step 6 Add permissions.

back to top >

Advanced session with elevated privileges-2-5-create-appID-2

Step 7 Click on “User.Read” permission.

Step 8 Remove this permission.

Step 9 Click on “Add permission”.

Advanced session with elevated privileges-2-6-create-appID-2

Step 10 Click on Add permissions.

Step 11 Click on “Microsoft Graph”.

back to top >

Advanced session with elevated privileges-2-7-create-appID-2

Step 12 Click on “Application permissions”.

Advanced session with elevated privileges-2-8-create-appID-2

back to top >

Step 13 Select permissions.

In each category, check the required permissions (see the recommended list below) and when finished, click on Add permissions.

You have full flexibility to add whichever permissions you choose. The following list of permission scopes is simply a suggestion. To learn more about these permission scopes, see the Active Directory v.2 Permission Scope Reference Guide.

For a complete experience, the following permission scopes should be assigned:


Advanced session with elevated privileges-2-9-create-appID-2

If you have opted to consent through the application, skip the next steps and go to step 17.

Step 14 Click “Grant admin consent for ….”

Step 15 Confirm the consent request.

back to top >

Advanced session with elevated privileges-2-10-create-appID-2

Step 16 You will see a confirmation.

Advanced session with elevated privileges-2-11-create-appID-2

Step 17 Go to “Certificates & secrets”.

Step 18 Click on “New client secret”.

Step 19 Choose an expiration period.

Step 20 Click “Add”.

Advanced session with elevated privileges-2-12-create-appID-2

Step 21 Copy and save the new client secret to use in sapio365.

IMPORTANT: This is the only time you will see your password! sapio365 will not let you retrieve it. Take note of it now and keep it safe.

back to top >

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.