Skip to main content
Version: 2.18.0

Registering with Microsoft Entra ID

Required app registration

To enable Halo to monitor M365 cloud storage, an application must be registered in Microsoft Entra ID with the appropriate Microsoft graph API permissions.

Note: you’ll need access to a Microsoft Entra tenant and an account with at least the Cloud application administrator role.

You can either follow the steps below to manually create the app registration or use this provided shell script to automate the process.

Register the application

  1. Sign in to the Microsoft Entra Admin Center.
  2. If needed, switch to the desired tenant via Settings > Directories + subscriptions.
  3. Navigate to Identity > Applications > App registrations and click New registration.
  4. Enter a Name for the application.
  5. Under Supported account types, click Accounts in this organizational directory only.
  6. Leave the Redirect URI blank.
  7. Click Register.

After registration, make note of the following from the Overview pane:

  • Application (client) ID
  • Directory (tenant) ID

These values are required during Halo setup.

Generate a client secret

  1. Navigate to Certificates & secrets > Client secrets.
  2. Click New client secret.
  3. Provide a description and select an expiration period (or specify a custom lifetime).
  4. Click Add.
  5. Copy and save the client secret value immediately. You won’t be able to view it again after leaving the page.

Note: client secrets expire after 24 months or less. If expired, repeat the steps above to generate a new one.

Configure API permissions

  1. In the app's API permissions pane, click Add a permission.

  2. Click Microsoft graph > Application permissions.

  3. Grant the following permissions:

    • For SharePoint:
      • Files.ReadWrite.All
      • Sites.Read.All
    • For OneDrive:
      • Files.ReadWrite.All
      • User.ReadBasic.All
    • For Outlook:
      • User.ReadBasic.All
      • Mail.ReadWrite

  4. Click Add permissions.

  5. If permissions show as Not granted, click Grant admin consent.

Additional permissions for Outlook email banner (optional)

If you plan to use the Outlook email disclaimer banner, the app registration also requires Exchange Online permissions:

  1. In the app's API permissions pane, click Add a permission.
  2. Click APIs my organization uses and search for Office 365 Exchange Online.
  3. Click Application permissions.
  4. Grant the following permission:
    • Exchange.ManageAsApp
  5. Click Add permissions and Grant admin consent.
  6. Navigate to Microsoft Entra ID > Roles and administrators, find the Exchange Administrator role, and assign it to your app registration.

For full certificate setup instructions, see Setup Exchange Online for the Outlook banner.

Once these steps are complete, you can proceed with deploying Glasswall Halo with storage monitoring enabled.

Last updated on