Manual Microsoft 365 tenant configuration
If the automatic configuration was not successful, the tenant must be configured manually. To do that, navigate to Account Configuration > Microsoft 365 tab > Add new tenant and select Click here to configure with an already existing Azure AD application.
- A service user account with at least Exchange Administrator privileges. Click here to learn how to create such a service account.
- If the account you use to configure your tenant to RecoveryManager Plus has MFA enabled, you need to use either the Conditional Access or Trusted IP feature in Microsoft 365 to bypass MFA. Once you have configured one of these features, proceed to configure the service account in RecoveryManager Plus.
- Create a self-signed X.509 certificate. Download the PowerShell script from this link. Open PowerShell and run the downloaded script using the following command:
.\Create-SelfSignedCertificate.ps1 -CommonName "CertificateName" -StartDate YYYY-MM-DD -EndDate YYYY-MM-DD.
The certificate will be created with the name provided in the CertificateName position. In the YYYY-MM-DD field, provide the start and end date for the certificate. Once you run the PowerShell script, you will be requested to provide a password for the PFX file, and the PFX and CER files will be exported to the current folder. The password you provided and the certificate files will be required in the later steps.
There are two steps to configure a tenant manually.
- Create an Azure AD application.
- Configure the Azure AD application in RecoveryManager Plus.
Create an Azure AD application
To create an Azure AD application,
- Sign in to the Azure AD portal using the credentials of a Global Administrator account.
- Select Azure Active Directory from the left pane.
- Select App registrations.
- Click New registration.
- Provide a Name for the RecoveryManager Plus application to be created.
- Select a supported account type based on your organizational needs.
- Leave the RedirectURL(optional) field blank. You will configure it in the next few steps.
- Click Register to complete the initial app registration.
- You will now see the Overview page of the registered application.
- Click Add a Redirect URL.
- Click Add a platform under Platform configurations.
- In the Configure platforms pop-up, click Web under Web applications.
- In the RedirectURL field, enter http://localhost:port_number/webclient/GrantAccess. For example, http://localhost:8090/webclient/GrantAccess or
- You can leave the Logout URL and Implicit grant fields empty. Click Configure.
- In the Authentication page, under Redirect URLs, click Add URL. and add the following URLs.
Note: The REDIRECT URL must adhere to the following criteria:
Click Manifest from the left pane.
Look for requiredResourceAccess array in the code.
Copy the entire content from this file and paste them into the section highlighted in the image below. If you want to modify the permissions to be provided, skip this step and follow the steps mentioned in this section.
- It must be fewer than 256 characters in length.
- It should not contain wildcard characters.
- It should not contain query strings.
- It must start with HTTPS or http://localhost.
- It must be a valid and unique URL. Based on the connection type (http/https) you have configured in RecoveryManager Plus, the REDIRECTURL format varies.
- For http, the URL value is http://localhost:8090. Machine name or IP address cannot be used in place of localhost if http is used.
- For https, the URL value is https://192.345.679.345:8090 or https://testmachine:8090.
- To find your machine's IP, open the Command Prompt, type ipconfig, and click Enter. You can find your IPv4 Address in the results shown.
- If your tenant is being created in Azure Germany, copy the entire content from this file and paste them into the section highlighted in the image below.
- If your tenant is being created in Azure China, copy the entire content from this file and paste them into the section highlighted in the image below.
Note: Copy and paste content only from the open square bracket to the closed square bracket. Ensure that all punctuation marks are retained correctly. Once you have pasted the file, it should look like the image below.
Click API permissions from the left pane.
In the Configured permissions section, click ✓ Grant admin consent for <your_company_name>.
Click Yes in the pop-up that appears.
Click Certificates & secrets from the left pane.
Under the Client secrets section, click New client secret.
This section generates an app password for RecoveryManager Plus. In the Description field of the pop-up, provide a name to identify the app to which the password belongs.
Choose when the password should expire.
Copy the string under Value and save it. This is the Application Secret Key, which you will require later.
In the Certificates section, click Upload certificate and upload the .CER file generated in the prerequisites section.
Now, navigate to the Overview section in the left pane.
Copy the Application (client) ID and Object ID values and save them. You will need these values to configure your tenant in the RecoveryManager Plus portal.
Refer this table to learn about the roles that must be assigned to the application.
Steps to configure an Azure application in RecoveryManager Plus
- Return to the RecoveryManager Plus console where you have the pop-up.
- Enter your Tenant Name. For example, test.onmicrosoft.com.
- Paste the Application ID and Application Object ID values copied in Step 35 of the previous section into the respective fields.
- For the Application Secret Key, paste the value copied in Step 32 of the previous section.
- In the Application Certificate field, click Browse and select the .PFX file generated in the prerequisites section. In the Certificate Password field, enter the password used in the prerequisites section.
- Enter the Service account name and Password of the user service account you had created for RecoveryManager Plus.
- Click Add Tenant.
- You should now see that AAD Application Status is successful for the account you configured.
: If your service account is MFA-enabled, please check this section.