Register Purview Sync with Azure (Advanced Access)

Purview Sync uses the Microsoft Graph API. To use the API, you need to register the application with Azure. Authentication requires a reference to a dedicated Azure application that has the appropriate permission. This needs to be done on the client side by an Azure user with sufficient rights.

Note: At different times in this guide, you will be instructed to take note of certain values and tokens. We recommend opening a text editor or Word document during this process to copy and paste these values, so they are readily available to paste into RelativityOne.

Table of Contents (Advanced Access)

Use this table of contents to navigation Purview Sync during the Advanced Access phase.

Registering an Azure application and credentials

Complete the steps in this section to create an application registration that you need for email and for syncing to Entra ID. To create your application ID and secret, you must have Application Administrator privileges to log into your Azure Portal and register an app.

Store your application ID and Secret in a safe place as you will need it in Relativity.

To register your app:

Note: The person completing the application registration process needs to be an Azure Administrator with sufficient privileges.

  1. Open your Azure Portal.
  2. Click Microsoft Entra ID.
  3. In the left-navigation menu, select App registrations.
  4. Click New Registration.
    This will open the Register an application page.
  5. Enter an application name in the Name field. For example, RelativityOne Purview Sync.
  6. Select Accounts in this organizational directory only - Single tenant as the supported account type.
  7. Select Single-page application (SPA) in the drop-down menu in the Redirect URI field.
  8. Enter https://[RelativityOne URL up to the word relativity forward slash] + CustomPages/f444a06a-617c-430b-90b2-a112e834b826/index.html for the Redirect URI field. For example, https://company.relativity.one/relativity/CustomPages/f444a06a-617c-430b-90b2-a112e834b826/index.html.
  9. Click Register.

When you complete the application registration, take note of the Application (client) ID field and Directory (tenant) ID field. These will be later used in Relativity.

For more information on registering an application in Azure, see Microsoft's documentation or Microsoft's authentication documentation.

Authentication

For authentication, you must add a redirect URI.

To add a redirect URI:

  1. Select Authentication from the left-side menu.
  2. Locate the Single-page application box and select Add URI.
  3. In the Redirect URI field, enter https://[RelativityOne URL up to the word relativity forward slash] + CustomPages/f444a06a-617c-430b-90b2-a112e834b826/ms-auth-popup-redirect.html. For example, https://company.relativity.one/relativity/CustomPages/f444a06a-617c-430b-90b2-a112e834b826/ms-auth-popup-redirect.html.
  4. Locate the Web box and select Add URI
  5. In the Redirect URI field, enter https://[RelativityOne URL without including the word relativity forward slash] + Relativity.Rest/API/aed-integration/v1/service/ms-auth/auth-response.
    Example: https://company.relativity.one/Relativity.Rest/API/aed-integration/v1/service/ms-auth/auth-response
  6. Select Save.

Creating a client secret

A client secret from Microsoft Azure AD is needed to integrate Microsoft and Relativity.

To create a client secret:

  1. In the left-navigation menu, click Certificates & secrets.
  2. Navigate to the Client secrets tab.
  3. Click the New Client Secret button.
    Note: Do not navigate away from the page once the client secret is created.
  4. Populate the Description and Expires fields. You can leave the default, or recommended, values.
  5. Click the Add button.
    If the client secret was successfully created, you will see the Client Secret displayed on the table and the Value field should be displayed in plain text.
  6. Copy the Value field and store it safely.

If you leave the page and comeback to get the value the Value field will be masked and you will not be able to copy it.

You can repeat steps 4-5 to generate a new client secret.

Setting API permissions

Open the application to view the application's homepage. From the application's page, add permissions to the web API. 

To add permissions:

  1. Click API permissions.
  2. Click Add a Permission.
  3. Click Microsoft Graph.
  4. Select Delegated Permissions.
  5. Select the eDiscovery.ReadWrite.All option from the Delegated Permissions section.
  6. Click Add Permissions.
  7. Click Grant admin consent for [Tenant Name].
    Notes: You need the Global Administration role to complete this action.

At this point the Application should be full configured. It can take a few minutes to update.

Create the service principal

There is a special permission not available in an application registration by default. This is the eDiscovery.Download.Read permission that allows the transfer of data. It becomes available once you create a Service Principal for your Azure tenant. For more information, see Microsoft's Service Principal documentation.

We recommend using Microsoft Graph Explorer to do this. The address to graph explorer is https://developer.microsoft.com/en-us/graph/graph-explorer.

Before using Microsoft Graph Explorer, you need an account that has Application.ReadWrite.All permission. If you are not sure what this means, ask someone in your organization with the Global Administrator role in your Azure tenant. For more information on the required permissions, see Microsoft's Service Principals documentation.

Creating the service principal steps:

  1. Navigate to https://developer.microsoft.com/en-us/graph/graph-explorer.
  2. Click on the avatar icon on the top right. This should open a login window, where you can login with your credentials.
  3. Click on the blue GET button. Select POST as the query method.
  4. Enter https://graph.microsoft.com/v1.0/servicePrincipals in the URI field.
  5. Under Request body, enter: { "appId": "b26e684c-5068-4120-a679-64a5d2c909d9" }.
    Note: Do not forget the curly brackets.
  6. Press the Run query button.
  7. Confirm you received a Created – 201 response.

    Note: If it’s already setup you will see a 409 error.

Configure permissions

Now you need to add the eDiscovery.Download.Read permission we made available by adding the service principal in the Create a Service Principal section. Navigate back to Microsoft Azure Portal, to the application registration you set up earlier.

  1. Click the API permissions in the left-hand side menu.
  2. Click + Add a permission.
  3. Select the APIs my organization uses tab.
  4. In the search bar, enter MicrosoftPurviewEDiscovery.
  5. Select the application MicrosoftPurviewEDiscovery search result.
  6. Select the Delegated Permissions box.
  7. Select eDiscovery.Download.Read.
  8. Click Add permissions.
  9. Click Grant admin consent for [TENANT NAME].
    Notes: You need the Global Administration role to complete this action.
  10. In the pop-up modal that appears, click Yes.

You completed configuring the application registration with Azure. Now onto Relativity.

Grant users eDiscovery permissions in Microsoft Purview

Permissions to use the Purview Sync application can be broken down into two categories:

  • Azure Active Directory roles—necessary to grant eDiscovery permissions.
  • Purview eDiscovery Premium roles—necessary to execute actions in Purview eDiscovery Premium, and the Purview Sync application within RelativityOne.
Note: If there is already a user with Azure eDiscovery Admin permissions to create cases within Purview eDiscovery Premium, you can skip this section and move to Configure the Connection Between RelativityOne and Purview eDiscovery Premium.

Before you start, the user performing the actions in this section must have:

  • Azure Active Directory role—Compliance Administrator, to be able to read, configure, and manage compliance permissions with Microsoft Purview, formerly known as Security & Compliance Center.
  • Azure Active Directory role—Compliance Data Administrator, to be able to create and manage compliance content within Microsoft Purview.

Once the Compliance Administrator and Compliance Data Administrator roles have been assigned to the person configuring this user, that user will then be able to configure permissions within the Microsoft Purview compliance portal here.

Note: If you see a screen that the Microsoft compliance portal is retired, it might mean that you are using the old Microsoft compliance portal that was disabled in November 2024. Navigate to the new Microsoft Purview instead.

Setting up Compliance Admin roles

To set up Compliance Admin roles to use Azure AD:

  1. Navigate to https://purview.microsoft.com and login.
  2. Click Settings > Roles and scopes > Role groups.
  3. Click the Compliance Administrator role > Edit > Choose users.
    • Ensure all users, including service accounts, that will be using Purview Sync in RelativityOne are assigned this role.
    • If there are users that need to be added, click the Add assignments button to add them.
    • Close the Assignments page once all the appropriate users have been added.
  4. Click the Compliance Data Administrator role > Edit > Choose users.
    • Ensure all users, including service accounts, that will be using Purview Sync in RelativityOne are assigned this role.
    • If there are users that need to be added, click the Add assignments button to add them.
    • Close the Assignments page once all the appropriate users have been added.

Purview eDiscovery Premium Permission Management for users

  1. Navigate to https://purview.microsoft.com and login.

  2. Click Settings > Roles and scopes > Role groups under the Microsoft Purview solutions section.
  3. Click eDiscovery Manager.
  4. Select Edit.
  5. If you want to allow a user the capability to create cases in Purview eDiscovery Premium, but not see other cases, then assign that user to the eDiscovery Manager role by following these sub-tasks, otherwise skip to step 6:
    1. Click the Choose users button.
    2. Select the users to add to the eDiscovery Manager role in the right-side menu.
    3. Click the Select button.
    4. Click the Next button at the bottom of the page until you navigate through Manage eDiscovery Administrator and Review and finish options.
    5. Click the Save button.
  6. If you want to allow a user the capability to create cases and see cases that other users have created, then assign that user to the eDiscovery Administrator role by following these sub-tasks, otherwise skip to the next section.
    1. Click the Next button to navigate to the Manage eDiscovery Administrator options.
    2. Click the Choose users button.
    3. Select the users to add to the eDiscovery Administrator role in the right-side menu.
    4. Click the Select button.
    5. Click the Save button.

You have now granted a service or user eDiscovery permissions in Microsoft Purview.