## Required app registration

To enable Halo to monitor M365 cloud storage, an application must be [registered in Microsoft Entra ID](https://learn.Microsoft.com/en-us/graph/auth-register-app-v2) with the appropriate Microsoft graph API permissions.

**Note:** you’ll need access to a Microsoft Entra tenant and an account with at least the **Cloud application administrator** role.

You can either follow the steps below to manually create the app registration or use this provided [shell script](/.attachments/create-azure-app-registrations-storage-monitor.sh) to automate the process.

### Register the application

1. Sign in to the [Microsoft Entra Admin Center](https://entra.Microsoft.com/).
2. If needed, switch to the desired tenant via **Settings > Directories + subscriptions**.
3. Navigate to **Identity > Applications > App registrations** and click **New registration**.
4. Enter a **Name** for the application.
5. Under **Supported account types**, click **Accounts in this organizational directory only**.
6. Leave the **Redirect URI** blank.
7. Click **Register**.

After registration, make note of the following from the **Overview** pane:

- **Application (client) ID**
- **Directory (tenant) ID**

These values are required during Halo setup.

### Generate a client secret

1. Navigate to **Certificates & secrets** > **Client secrets**.
2. Click **New client secret**.
3. Provide a description and select an expiration period (or specify a custom lifetime).
4. Click **Add**.
5. **Copy and save the client secret value immediately.** You won’t be able to view it again after leaving the page.

**Note:** client secrets expire after 24 months or less. If expired, repeat the steps above to generate a new one.

### Configure API permissions

1. In the app's **API permissions** pane, click **Add a permission**.
2. Click **Microsoft graph** > **Application permissions**.
3. Grant the following permissions:

   - For SharePoint:
     - `Files.ReadWrite.All`  
     - `Sites.Read.All`  
   - For OneDrive:
     - `Files.ReadWrite.All`  
     - `User.ReadBasic.All`
   - For Outlook:
     - `User.ReadBasic.All`
     - `Mail.ReadWrite`

4. Click **Add permissions**.
5. If permissions show as **Not granted**, click **Grant admin consent**.

### Additional permissions for Outlook email banner (optional)

If you plan to use the [Outlook email disclaimer banner](/halo/storage-monitoring-outlook#email-disclaimer-banner), the app registration also requires Exchange Online permissions:

1. In the app's **API permissions** pane, click **Add a permission**.
2. Click **APIs my organization uses** and search for **Office 365 Exchange Online**.
3. Click **Application permissions**.
4. Grant the following permission:
   - `Exchange.ManageAsApp`
5. Click **Add permissions** and **Grant admin consent**.
6. Navigate to **Microsoft Entra ID** > **Roles and administrators**, find the **Exchange Administrator** role, and assign it to your app registration.

For full certificate setup instructions, see [Setup Exchange Online for the Outlook banner](/halo/storage-monitoring-banner-setup-exchange-online).

Once these steps are complete, you can proceed with deploying Glasswall Halo with storage monitoring enabled.