Configuring Rest API

REST API is essential to generate reports on your Microsoft 365 environment.

You can configure Rest API manually or automate the process.

Automatic configuration:

1. Login to ADManager Plus
2. Click Microsoft 365/Google Apps listed under System Settings.
3. Choose the Enable Now option listed under Rest API Access column associated with the Microsoft 365 tenant for which the REST API access is to be enabled.
4. The next screen with redirect you to the Microsoft 365 login portal. Enter the credentials of the global admin account that you had configured earlier in ADManager Plus.
5. Click Sign-in.
6. Once this is completed, an application for ADManager Plus will be created automatically. The following page will display the list of all permissions needed by the application. If you would like to change the permissions required by the application, opt for manual configuration.
7. Once you are well-informed on the permissions listed, click Accept.
8. You will now be redirected to the ADManager Plus console. From the console, you can see that the REST API Access is Enabled for the account that you configured.

Manual configuration:

If you encounter any permission issues during automatic configuration or if you want to change the permissions needed by the application, you can configure the Rest API Access manually.

Azure Portal

1. Log into through the Azure AD portal using the credentials of the account for which the REST API is to be enabled.
2. Select Azure Active Directory → App registrations → New registration.
3. If you've already created an ADManager Plus application, select the desired application name. Otherwise, in the Name field, enter the desired name of the ADManager Plus application to be created and click Register.



4. An Overview page will be displayed, containing information about the application.
5. Click Add a Redirect URI.
6. Click Add a platform under Platform configurations.
7. In the Configure platforms pop-up, click Web under Web applications.
8. In the Redirect URI field, enter http://localhost:port_number/webclient/VerifyUser
9. Add the following Redirect URIs in the subsequent rows with Web as the value for Type.
• https://identitymanager.manageengine.com/api/public/v1/oauth/redirect
• https://demo.o365managerplus.com/oauth/redirect
• https://manageengine.com/microsoft-365-management-reporting/redirect.html

Note:

The REDIRECT URI should meet the requirements below,

• It must be fewer than 256 characters in length.
• It should not contain wildcard characters.
• It should not contain query strings.
• It must start with HTTPS or http://localhost.
• It must be a valid and unique URL.
• For HTTP, the URI value is: http://localhost:8080. If HTTP is used, the machine name or IP address cannot be used in the place of localhost.
• For HTTPS, the URI value is: https://192.345.679.345:8080 or https://testmachine:8080 (where <testmachine> is the hostname of the machine where ADManager Plus is installed).

The REDIRECT URI format varies according to the connection type (HTTP/HTTPS) that has been configured in ADManager Plus.



10. Click Save.
11. Click Manifest in the left pane and search for requiredResourceAccess as an array in the code.
12. Copy the contents of this file and paste the content as highlighted in the image below and click Save. If you want to modify the permissions to be provided, skip this step and follow the steps mentioned in this guide.



Note: Copy-paste content only from the open square bracket to the closed square bracket. Ensure that all punctuation marks are retained correctly. Once you have pasted the content in the file, it should look like the image below.



Note:
• If your tenant is being created in Azure Germany, copy the entire content of this file and paste it into the section highlighted in the image below.
• If your tenant is being created in Azure China, copy the entire content of this file and paste it into the section highlighted in the image below.
13. Click API permissions from the left pane and click on Grant admin consent for <your_company_name> option listed under Grant consent section. Grant the necessary permissions as required. The API permission and its scope are available in this table.



14. Choose Yes in the confirmation dialog box that appears.
15. Navigate to Certificates & secrets → New client secret.
16. This section generates the app password for ADManager Plus. Enter a name in the Description field for password identification.
17. Configure the password expiry settings and click Add.
18. Copy the string listed under Value and save it. This will be required while configuring a Microsoft 365 tenant in ADManager Plus.



19. Navigate to the Overview section in the left pane and copy the values of Application (client) ID and Object ID, then save them for later use.

Roles and permissions

The roles and permissions (minimum scope) required for a service account configured in ADManager Plus are listed below.

Module	Role Name	Scope
Management	User Administrator	Manage users, contacts and groups.
	Privileged Authentication Administrator	Reset password, block or unblock administrators.
	Privileged Role Admin	Manage role assignments in Azure Active Directory.
	Exchange Administrator	Update mailbox properties
	Teams Service Admin	Manage Microsoft Teams
Reporting	Global Reader	Get reports on all Microsoft 365 services
	Security Reader	Security Reader

The roles and permissions (minimum scope) required for an Azure AD Application configured in ADManager Plus are listed below.

Module	API Name	Permission	Scope
Management	Microsoft Graph	User.ReadWrite.All	User creation, modification, deletion and restoration.
		Group.ReadWrite.All	Group creation, modification, deletion, restoration. And add or remove members and owners.
Reporting	Microsoft Graph	User.Read.All	Users and group members report.
		Group.Read.All	Group reports.
		Contacts.Read	Contact reports.
		Reports.Read.All	Usage reports.
		Organization.Read.All	License details reports.
		AuditLog.Read.All	Audit log-based reports
	Azure Active Directory Graph	Domain.Read.All	Domain-based reports.

ADManager Plus portal

1. Open the ADManager Plus portal with the below pop-up:



2. Enter your Tenant Name. For example, test.onmicrosoft.com
3. Paste the Application (client) ID and Object ID which were saved earlier in Step #16, in the respective fields.
4. Enter the Application Secret Key that was saved during Step #15.
5. Click Update. The Rest API Access should now be Enabled for the configured account.