Configuring REST API

Configuring the REST API is a crucial step for generating reports and managing data within your Microsoft 365 environment. The REST API enables seamless integration between ADManager Plus and Microsoft 365, enabling you to automate tasks such as user management, reporting, and more.

You can either configure the REST API manually by entering the necessary credentials and settings, or automate the process to simplify configuration and ensure a smooth integration. Proper configuration is essential to ensure accurate data retrieval and reporting from your Microsoft 365 account.

Manual configuration

If you encounter any permission issues during automatic configuration or if you want to change the permissions needed by the application, you can configure the Rest API Access manually.

Steps to create an Entra ID application

1. Log in to the Microsoft Entra ID admin center using the credentials of a Global Administrator or any other user account with the permission to create Entra ID applications.
2. Navigate to Identity > Applications > App registration.
3. If you've already created an ADManager Plus application, select the desired application name. Otherwise, in the Name field, enter the desired name of the ADManager Plus application to be created.
4. Select a supported account type based on your organizational needs.
5. Leave Redirect URI (optional) blank; you will configure it in the next few steps.
6. Click Register to complete the initial app registration.
7. You will now see the Overview page of the registered application.
8. Navigate to Authentication in the side pane.
9. Click Add a platform under Platform configurations.
10. In the Configure platforms pop-up, under Web applications, click Web.
11. In the Redirect URI field, enter the following links. You can enter only one link at a time. After you enter a link, click Configure and repeat the steps until all of the links are configured.
• http://localhost:port_number/webclient/VerifyUser
• https://identitymanager.manageengine.com/api/public/v1/oauth/redirect
• https://demo.o365managerplus.com/oauth/redirect
• https://manageengine.com/microsoft-365-management-reporting/redirect.html
Note:
The Redirect URI should meet the requirements below,
• It must be fewer than 256 characters in length.
• It should not contain wildcard characters.
• It should not contain query strings.
• It must start with HTTPS or http://localhost.
• It must be a valid and unique URL.
• For HTTP, the URI value is: http://localhost:8080. If HTTP is used, the machine name or IP address cannot be used in the place of localhost.
• For HTTPS, the URI value is: https://192.345.679.345:8080 or https://testmachine:8080 (where <testmachine> is the hostname of the machine where ADManager Plus is installed).
• The Redirect URI format varies according to the connection type (HTTP/HTTPS) that has been configured in ADManager Plus.



12. Click Save.
13. Click Manifest in the left pane and search for requiredResourceAccess as an array in the code.
14. Copy the contents of this file and paste the content as highlighted in the image below and click Save. If you want to modify the permissions to be provided, skip this step and follow the steps mentioned in this guide.

    

    Note: Copy-paste content only from the open square bracket to the closed square bracket. Ensure that all punctuation marks are retained correctly. Once you have pasted the content in the file, it should look like the image below.

    

Note:
• If your tenant is being created in Azure Germany, copy the entire content of this file and paste it into the section highlighted in the image below.
• If your tenant is being created in Azure China, copy the entire content of this file and paste it into the section highlighted in the image below.
15. Click API permissions from the left pane and click the Grant admin consent for <your_company_name> option listed under Configured permissions section. Grant the necessary permissions as required. The API permission and its scope are available in this table.



16. Click Yes in the pop-up that appears.
17. Click Certificates & secrets from the left pane.
18. Under the Client secrets section, click New client secret.
19. This section generates an app password for ADManager Plus. In the Description field of the pop-up, provide a name to identify the app to which the password belongs.
20. Choose when the password should expire.
21. Click Add.
22. Copy the string under Value and save it. This is the Application Secret Key, which you will require later.
23. Go to Certificates and click Upload certificate. Upload your application certificate as a .cer file.
24. If the user has an SSL certificate, the same can be used here. Otherwise, click here for steps to create a self-signed certificate.

    Note: Certificate-based authentication is used to contact Microsoft 365 securely and fetch data. During manual configuration, you will be asked to enter your application Secret and upload the Application Certificate.

    

25. Now go to the Overview section in the left pane.
26. Copy the Application (client) ID and Object ID values and save them. You will need these values to configure your tenant in the ADManager Plus portal.

Steps to create a self-signed certificate

1. Run the following command in Windows PowerShell as an administrator:

   Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process

2. Navigate to the <Installation Directory>\bin folder and run the Create-selfsignedcertificate.ps1 script as an administrator.
3. While running the script, you will be asked to add a common name for the certificate, start and end date (yyyy-MM-dd) for the certificate's validity, and a private key to protect it.
4. Once you enter the values, the script will create a .pfx file (contains both public and private key) in the bin folder.
5. The .pfx file needs to be uploaded in ADManager Plus, while the .cer file should be uploaded in the Application Overview page of your Microsoft Entra ID application.

Roles and permissions

The roles and permissions (minimum scope) required for a service account configured in ADManager Plus are listed below.

Module	Role Name	Scope
Management	User Administrator	Manage users, contacts, and groups.
	Privileged Authentication Administrator	Reset password, block or unblock administrators.
	Privileged Role Administrator	Manage role assignments in Azure Active Directory.
	Exchange Administrator	Update mailbox properties.
	Teams Administrator	Manage Microsoft Teams.
Reporting	Global Reader	Get reports on all Microsoft 365 services.
	Security Reader	Get audit logs and mailbox reports.

The roles and permissions (minimum scope) required for an Azure AD Application configured in ADManager Plus are listed below.

Module	API Name	Permission	Scope
Management	User Administrator	Manage users, contacts, and groups.
	Privileged Authentication Administrator	Reset password, block or unblock administrators.
	Privileged Role Administrator	Manage role assignments in Azure Active Directory.
	Exchange Administrator	Update mailbox properties.
	Teams Administrator	Manage Microsoft Teams.
Reporting	Global Reader	Get reports on all Microsoft 365 services.
	Security Reader	Get audit logs and mailbox reports.

ADManager Plus portal

1. Open the ADManager Plus portal from this pop-up:



2. Enter your Tenant Name. For example, test.onmicrosoft.com
3. Paste the Application (client) ID and Object ID, saved earlier in Step 26 under the steps to create an Entra ID application section, into their respective fields.
4. Enter the Application Secret Value that was saved earlier in Step 22 under the steps to create an Entra ID application section. Upload the Application certificate and provide the Certificate Password.
5. Click Add Tenant. The tenant will be added in ADManager Plus. If you wish to modify the details in it, click the Edit option once the configuration is listed and proceed to make the changes.



6. Click Update once the necessary modifications are done. The Rest API Access should now be Enabled for the configured account.