Accessing Microsoft 365 tenants

Register the Collect application to access Microsoft 365. When registering the application, the Microsoft 365 administrator creates a Microsoft Application ID and secret. This ID and secret are used to configure data sources in Collect and provides access to the Office 365 tenants. You can register the application through Azure Portal or by registering the application permissions through the Microsoft App Registration Portal. After registering the application, request administrator consent. From there, it is possible to revoke application access.

This page contains the following information:

Registering the application

Allow Relativity access by first registering the application in Microsoft 365. Register the application permissions through Azure Portal.

Teams prerequisites

Before being able to collect Microsoft Teams data there are prerequisites, required by Microsoft, that must be met.

Licensing requirements

To be able to Teams data, one of the following licensing requirements must be met. This licensing applies to individual (custodian) accounts.

  • Microsoft 365 E5/A5/G5

Or

  • Microsoft 365 E3 plus one of the following:

    • Microsoft 365 E5 Security Add-on

    • Microsoft 365 E5 Compliance Add-on

    • Microsoft 365 E5 Information Protection and Governance Add-on

    • Microsoft 365 E5 Information Protection & Data Loss Prevention Add-on

For more information, see relevant Microsoft documentation:

Protected API Access

Microsoft Teams APIs in Microsoft Graph that access sensitive data are considered protected APIs. These APIs require that you have additional validation, beyond permissions and consent, before you can use them. This requires submission of a form to Microsoft requesting API access.

Note: You must first create your application registration before completing the request form. The form requires you to specify an application ID, that you get during registration, to which protected API access should be granted.

Relevant Microsoft documentation: Teams protected APIs

Request form referenced in the above documentation: Teams protected APIs request form

Registering the Collect application and setting permissions

Register your application permissions through Azure Portal to access tenants.

Start registering your app by following the steps below:

Note: This needs to be done on the client side by an Azure user with sufficient rights.

  1. Open your Azure Portal.
  2. Click More Services.
  3. Search for and select Azure Active Directory.
  4. In the left-navigation menu, click App registrations.
  5. Click New Registration.
    This will open the Register an application page.
  6. Enter an application name in the Name field.
  7. Select Accounts in this organizational directory only as the supported account type.
  8. Enter the redirect URL, http://localhost/, as the sign-on URL.

  9. Click Register.

For more information on registering an application in Azure, see Microsoft's documentation or Microsoft's authentication documentation.

From the app's page, add permissions to the web API. To add correct permissions based on your selected Microsoft 365 data source, select a group of steps to follow below:

Most steps and some permissions are the same for each data source, but we recommend running through all steps for each data source.

Make a note of the application ID that Microsoft assigned to the app registration. This ID is also required for setup of data sources in Collect.

    Notes: If you do not have the ability to grant Admin consent for application permissions, you will need to find an Admin that can consent.

Once clicked, the window will show all permissions granted.

  1. Verify all permissions have been granted.
  2. Click Accept to grant the permissions.
  3. In the left navigation menu, click Certificates & secrets.
  4. Click New client secret.
  5. Enter a description in the Description text box.
  6. Set the expiration time frame to the maximum time - 24 months.
      Notes: After the time entered expires, the client secret expires. Once the client secret is expired, you will need to create a new secret and update your Collect data sources.
  7. Click Add.
  8. Click on the clipboard and copy the secret value to the clipboard and paste it in your text document.
      Notes: In this step you should copy the secret and save it as you will need it to set up your data sources in Collect. Microsoft will only show this secret this one time, there is no way to recover a secret if it is forgotten or lost.

Provide your Relativity Admin the Application ID and the Client Secret for setup of Collect.

Finding Azure credentials

If an application is already created and you need to find the application information to complete the Source Connection step, follow the steps below:

In the Azure Portal,

  1. Click Azure Active Directory.
  2. In the left-navigation menu, click Enterprise applications.
  3. In the list of applications, locate your application by filtering or sorting.
  4. Click your application.
    This will open the application page.
  5. In the left-navigation menu, click Properties.
  6. Copy the Application ID.

Limiting Application Registration access to accounts

Limit the access of Collect to specific Microsoft user accounts and mailboxes by using the New-ApplicationAccessPolicy Powershell cmdlet. For more information, see Microsoft documentation.

Revoking Application Access

The application can be revoked from https://portal.azure.com or by using a PowerShell script. For more information, see Microsoft's documentation.

To revoke access from https://portal.azure.com,

  1. Navigate to Enterprise Application.
  2. Click All applications.
  3. Locate your application.
  4. Press the application link.
  5. Press the Delete.

Collect no longer has access.

Revoking access via Powershell

Revoking access via Powershell can be done using the Remove-MsolServicePrincipal script. See below for an example of retrieving and deleting an application registration using Powershell.

Get-MsolServicePrincipal -AppPrincipalId 19ab8a2e-ccce-4fa8-a9ee-eb16e220d602

    ExtensionData : System.Runtime.Serialization.ExtensionDataObject
AccountEnabled : True
Addresses : {}
AppPrincipalId : 19ab8a2e-ccce-4fa8-a9ee-eb16e220d602
DisplayName : Relativity-Development-Application
ObjectId : 51798fb3-e72c-4373-8c63-6e7d0dd63ad7
ServicePrincipalNames : {19ab8a2e-ccce-4fa8-a9ee-eb16e220d602}
TrustedForDelegation : False    

Remove-MsolServicePrincipal -AppPrincipalId 19ab8a2e-ccce-4fa8-a9ee-eb16e220d602