User session

After successfully installing sapio365 on your machine, create a session by connecting to your Microsoft 365 environment.

What to expect when sapio365 successfully connects to your tenant for the first time

The sapio365 application is added to your list of enterprise applications: Ytria sapio365 - with Admin Consent.
A Company Administrator or Global Admin must provide ‘Admin Consent’ to the app’s permissions.

Create a User session

Creating a User session in sapio365 requires giving admin consent to the application's permissions necessary to view or change data.

Click on ‘New Session’.
Sign-in with your Microsoft 365 account credentials when prompted by Microsoft 365, and answer any 2-factor authentication set in your environment.
Give admin consent to the permissions needed by the sapio365 application. See step-by-step-instructions below.

Consent on behalf of your organization

Global admins can give consent tenant-wide consent by checking ‘Consent on behalf of your organization’ to allow all users to use the application for an Advanced session in sapio365. Otherwise, consent is given only for the signed-in user.

Step-by-step instructions

Click on ‘New Session’.
Click ‘Continue’.
Sign-in with your Microsoft 365 account credentials when prompted by Microsoft 365, and answer any 2-factor authentication set in your environment.

Give admin consent to the permissions needed by the sapio365 application.

If you’re a global admin, you’ll see this message about elevating your privileges. Click OK to close it.

Elevate your privileges (Optional)

An elevated session will grant you greater access to data like mailbox and SharePoint Online site content. This is done via the creation of a registered application in Entra.

Only a Company Administrator or Global Admin can provide ‘Admin Consent’ to the app’s permissions.

Learn more about about elevating your privileges.

Configure on-premises settings (Optional)

If your tenant syncs with Active Directory (AD) on-premises, sapio365 will prompt you to configure AD connection settings.

Learn more about connecting sapio365 to your local Active Directory.

Select a role (Optional)

If you have been assigned a sapio365 RBAC role, you’ll be able to select a role from a list.

Learn more about choosing a sapio365 role.

Configure National Cloud Deployment connection (Optional)

If you have a GCC High tenant, you must set additional connection parameters to connect sapio365.

Learn more about connection to National Cloud Deployment environments.

What can I do in a user session?

A sapio365 user session lets you access and manage all data for which you have permissions, as well as some settings not available in the portal UI.

If your user rights allow you, you can access the following:

Users' messages, inbox rules, calendar events and personal contacts for accessible mailboxes
Users' one-to-one, group and meeting chats and chat messages
Owned and shared OneDrive documents and their permissions
Group and SharePoint site document libraries
Group owners and members
Team channels and chats
Site and site list information
Directory admin roles
Usage and audit reports
Registered devices
Registered applications and Service Principals

See the full list of features

Users

View the entire user list for your tenant’s directory as well as all users’ profile information.
Manage service plans and license information for all users. Set license units prices for cost analysis reports.
Edit user profile information for any user, even multiple users at once.
Create new users or import several from a file.
Display and manage group memberships for every user in your tenant’s directory.
For your own and others that you can access: one-to-one, group and meeting chats and chat messages.

Groups & Teams

View all groups in your tenant, including their property information.
Display and manage all group members and owners.
See nested groups.
See and manage Teams, their members, channels and files.
Retrieve all file and folder information from document libraries.
View groups' SharePoint site information.
Add or remove owners for any group in your tenant, even multiple groups and owners at once.
Manage mail delivery restrictions on any group in your tenant, even for multiple groups at once.

Mail

For your own mailbox and other mailboxes you have access to:

View all email messages—including the mail folder structure.
Preview messages directly from the full message list.
See all message properties.
Access all attachment information—and download or delete attachments directly.
Manage mail rules for all mailboxes.
Manage mailbox permissions.

Calendar events

For your own mailbox and other mailboxes you have access to:

View and manage all calendar events.
Preview calendar event body.
Download or delete attachments.

Personal contacts

For your own mailbox and other mailboxes you have access to:

See every users’ personal contacts.

OneDrive files and folders

For your own OneDrive and others you have access to:

Manage all information—including permissions—for every OneDrive file and folder shared with you.
Rename or delete files and folders.
Download files and folders.
Upload files and folders.
Create folders.

SharePoint sites and lists

For SharePoint Online sites you have access to:

Retrieve all SharePoint site information, including storage quotas.
Show all lists—as well as their items and columns—for all your accessible sites at once.
Manage all document library files and their permissions in one place.
See personal sites and their content (elevated session).

Other

Depending on your rights:

View usage reports.
View sign-ins (requires Azure AD Premium P1 or P2 license) and admin audit logs.
View and manage registered applications.
View registered devices.

Frequently Asked Questions

What happens when I create a User session?

When launching a User session for the first time, the application requires a one-time admin consent for sapio365 to access Microsoft 365 data.

Upon creation, the sapio365 application “Ytria sapio365 - with Admin Consent” is added to the list of Enterprise Apps in your Azure Active Directory, which can then be used by the users who give user consent or by all users in the tenant if consent is given tenant-wide by an admin.

If the application is removed from Azure AD or the admin consent is revoked, it can be added back by creating an Advanced session once again.

Admins can limit access to sapio365 to specific groups or users using Conditional Access. See “I'm an admin. Can I limit usage to a specific group of users?” in FAQ below.

What exactly am I consenting to?

You’re consenting to the delegated permissions of the sapio365 application that allow you to access Microsoft 365 data within the scope of your user rights in Microsoft 365. This consent is between you and the sapio365 application. Your data NEVER goes through any third-party servers.

Why am I not able to give consent to sapio365?

Only a global (company) administrator can provide admin consent for the permissions of sapio365 applications used in advanced and elevated sessions. If you can’t obtain admin consent, you can use a standard session.

Can I access every users’ data?

No. Your access and actions remain limited by the rights and permissions you have in Microsoft 365. An advanced session in sapio365 gives you the advantage of having everything in one place, the ability to make bulk changes and create custom reports. You’ll need elevated privileges to access mailboxes and sites you don’t own.

Will my information pass through any external servers?

No, sapio365 does not require external servers to process this information – ever.

Is my Microsoft 365 data stored anywhere?

Some data is stored locally on your machine as a cache to improve processing times. The encryption of data is session-based so your information is protected.

Can I limit usage to a specific group of users?

Yes, just like for any application in your Azure AD, you can enable “User assignment required?” (1), and assign users to the app (2).