Registering with Microsoft Entra ID

Prev Next

Required App Registration

To enable Halo to monitor M365 cloud storage, an application must be registered in Microsoft Entra ID with the appropriate Microsoft Graph API permissions.

Note: Youโ€™ll need access to a Microsoft Entra tenant and an account with at least the Cloud Application Administrator role.

You can either follow the steps below to manually create the app registration or use the provided shell script attached to this page, to automate the process.
Before running the script, verify its integrity using the SHA-256 checksum:

sha256 create-azure-app-registrations-storage-monitor.sh

The output must match: bf6196a700195d996a06f2b11caffcb71923b5547dd0f8026f25c7567c5cfa2e.

Register the Application

  1. Sign in to the Microsoft Entra admin center.
  2. If needed, switch to the desired tenant via Settings > Directories + subscriptions.
  3. Go to Identity > Applications > App registrations and select New registration.
  4. Enter a Name for the application.
  5. Under Supported account types, select Accounts in this organizational directory only.
  6. Leave the Redirect URI blank.
  7. Click Register.

After registration, make note of the following from the Overview pane:

  • Application (client) ID
  • Directory (tenant) ID

These values are required during Halo setup.

Generate a Client Secret

  1. Navigate to Certificates & secrets > Client secrets.
  2. Select New client secret.
  3. Provide a description and choose an expiration period (or specify a custom lifetime).
  4. Click Add.
  5. Copy and save the client secret value immediately. You wonโ€™t be able to view it again after leaving the page.

Note: Client secrets expire after 24 months or less. If expired, repeat the steps above to generate a new one.

Configure API Permissions

  1. In the app's API permissions pane, select Add a permission.

  2. Choose Microsoft Graph > Application permissions.

  3. Grant the following permissions:

    • Files.ReadWrite.All
    • For SharePoint:
      • Sites.Read.All
    • For OneDrive:
      • User.ReadBasic.All

  4. Click Add permissions.

  5. If permissions show as Not granted, select Grant admin consent.

Once these steps are complete, you can proceed with deploying Glasswall Halo with Storage Monitoring enabled.