Configuring Rest API

REST API is essential to generate reports on your Microsoft 365 environment.

You can configure Rest API manually or automate the process.

Automatic configuration

1. Login to ADManager Plus
2. Click Microsoft 365/Google Apps listed under System Settings.
3. Choose the Enable Now option listed under Rest API Access column associated with the Microsoft 365 tenant for which the REST API access is to be enabled.
4. The next screen with redirect you to the Microsoft 365 login portal. Enter the credentials of the global admin account that you had configured earlier in ADManager Plus.
5. Click Sign-in.
6. Once this is completed, an application for ADManager Plus will be created automatically. The following page will display the list of all permissions needed by the application. If you would like to change the permissions required by the application, opt for manual configuration.
7. Once you are well-informed on the permissions listed, click Accept.
8. You will now be redirected to the ADManager Plus console. From the console, you can see that the REST API Access is Enabled for the account that you configured.

Manual configuration

If you encounter any permission issues during automatic configuration or if you want to change the permissions needed by the application, you can configure the Rest API Access manually.

Azure Portal

1. Log into through the Azure AD portal using the credentials of the account for which the REST API is to be enabled.
2. Select Azure Active Directory → App registrations → New registration.
3. If you've already created an ADManager Plus application, select the desired application name. Otherwise, in the Name field, enter the desired name of the ADManager Plus application to be created and click Register.



4. An Overview page will be displayed, containing information about the application.
5. Click Add a Redirect URI.
6. Click Add a platform under Platform configurations.
7. In the Configure platforms pop-up, click Web under Web applications.
8. In the Redirect URI field, enter http://localhost:port_number/webclient/VerifyUser
9. Add the following Redirect URIs in the subsequent rows with Web as the value for Type.
• https://identitymanager.manageengine.com/api/public/v1/oauth/redirect
• https://demo.o365managerplus.com/oauth/redirect
• https://manageengine.com/microsoft-365-management-reporting/redirect.html
Note:
The REDIRECT URI should meet the requirements below,
• It must be fewer than 256 characters in length.
• It should not contain wildcard characters.
• It should not contain query strings.
• It must start with HTTPS or http://localhost.
• It must be a valid and unique URL.
• For HTTP, the URI value is: http://localhost:8080. If HTTP is used, the machine name or IP address cannot be used in the place of localhost.
• For HTTPS, the URI value is: https://192.345.679.345:8080 or https://testmachine:8080 (where <testmachine> is the hostname of the machine where ADManager Plus is installed).

The REDIRECT URI format varies according to the connection type (HTTP/HTTPS) that has been configured in ADManager Plus.



10. Click Save.
11. Click Manifest in the left pane and search for requiredResourceAccess as an array in the code.
12. Copy the contents of this file and paste the content as highlighted in the image below and click Save. If you want to modify the permissions to be provided, skip this step and follow the steps mentioned in this guide.



Note: Copy-paste content only from the open square bracket to the closed square bracket. Ensure that all punctuation marks are retained correctly. Once you have pasted the content in the file, it should look like the image below.



Note:
• If your tenant is being created in Azure Germany, copy the entire content of this file and paste it into the section highlighted in the image below.
• If your tenant is being created in Azure China, copy the entire content of this file and paste it into the section highlighted in the image below.
13. Click API permissions from the left pane and click on Grant admin consent for <your_company_name> option listed under Grant consent section. Grant the necessary permissions as required. The API permission and its scope are available in this table.



14. Choose Yes in the confirmation dialog box that appears.
15. Navigate to Certificates & secrets.
16. Under the Client secrets section, click New client secret.
17. This section generates an app password for ADManager Plus. In the Description field of the pop-up, provide a name to identify the app to which the password belongs.
18. Choose when the password should expire.
19. Click Add.
20. Copy the string under Value and save it. This is the Application Secret Key, which you will require later.
21. Go to Certificates and click Upload certificate. Upload your application certificate as a .cer file.
22. If the user has an SSL certificate, the same can be used here. Otherwise, click here for steps to create a self-signed certificate.

Note: Certificate-based authentication is used to contact Microsoft 365 securely and fetch data. During manual configuration, you will be asked to enter your application Secret and upload the Application Certificate.



23. Navigate to the Overview section in the left pane and copy the values of Application (client) ID and Object ID and save them as they will be required while configuring the tenant in ADManager Plus.

Steps to create a self-signed certificate

1. If you require a self signed certificate, go to <Installation Directory>\bin folder and run the Create-selfsignedcertificate.ps1 script as administrator.
2. Before executing the script, run the following command:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process

3. While running the script, you will be asked to add a common name for the certificate, start and end date (yyyy-MM-dd) for the certificate's validity and a private key to protect it.
4. Once you enter the values, the script will create a .pfx file (contains both public and private key) in the bin folder
5. The .pfx file needs to be uploaded in ADManager Plus, while the .cer file should be uploaded in the Azure portal of your application.

Roles and permissions

The roles and permissions (minimum scope) required for a service account configured in ADManager Plus are listed below.

Module	Role Name	Scope
Management	User Administrator	Manage users, contacts and groups.
	Privileged Authentication Administrator	Reset password, block or unblock administrators.
	Privileged Role Admin	Manage role assignments in Azure Active Directory.
	Exchange Administrator	Update mailbox properties
	Teams Service Admin	Manage Microsoft Teams
Reporting	Global Reader	Get reports on all Microsoft 365 services
	Security Reader	Security Reader

The roles and permissions (minimum scope) required for an Azure AD Application configured in ADManager Plus are listed below.

Module	API Name	Permission	Scope
Management	Microsoft Graph	User.ReadWrite.All	Create, modify, delete, or restore users.
		Group.ReadWrite.All	Create, modify, delete, or restore groups. Add or remove group members and owners.
Reporting	Microsoft Graph	User.Read.All	Get user and group member reports.
		Group.Read.All	Get group reports.
		Contacts.Read	Get contact reports.
		Reports.Read.All	Get usage reports.
		Organization.Read.All	Get license detail reports.
		AuditLog.Read.All	Get audit log-based reports.
		Application.Read.All	Get Azure AD application details.
	Office 365 Management	ActivityFeed.Read	Read the audit data for organization.

ADManager Plus portal

1. Open the ADManager Plus portal with the below pop-up:



2. Enter your Tenant Name. For example, test.onmicrosoft.com
3. Paste the Application (client) ID and Object ID which were saved earlier in Step 23, in the respective fields
4. Enter the Application Secret Value that was saved during Step 20. Upload the Application certificate and provide the Certificate Password.
5. Click Add Tenant. The tenant will be added in ADManager Plus.If you wish to modify the details in it, click edit option once the configuration is listed and proceed to make the changes.



6. Click Update once the necessary modifications are done. The Rest API Access should now be Enabled for the configured account.