Configuration
There are several Microsoft 365 resources that ReportWORQ can leverage, such as SharePoint, Teams, Email, and Authentication. To simplify the configuration required to leverage these services ReportWORQ provides a single place to manage this configuration. In order to leverage these services the IT administrator responsible for Microsoft Azure will need to create an Azure App Registration and then enter a Client ID, Tenant ID and Secret value in the ReportWORQ Microsoft 365 section.
Azure App Registration
This step should be performed by the Microsoft Azure IT Administrator
To use Microsoft 365 Authentication with ReportWORQ you must first perform these steps in Microsoft Azure.
Log into your Azure tenant and create a new App Registration.
Provide a name for the Application and select the appropriate API access.
Most users will choose Accounts in this organizational directory only.
Do not provide a Redirect URI in this step.
Record the Application (Client) ID, and Directory (tenant ID) from the Overview screen for ReportWORQ configuration.
Choose Certificates & secrets from the left pane.
Create a new client secret with a description and expiry date.
Set a reminder to create a new secret and update ReportWORQ before it expires.
Important: Record the Secret Value (not the Secret ID) for use in the ReportWORQ configuration.
Choose Authentication from the left pane.
Select Add a Platform and select Web.
Note: Selecting any platform other than Web will not work properly.Select the option to enable Access Tokens.
Enter the following redirect URLs:
http://localhost:8300/signin-oidc
http://localhost:8300/server/v0/get-office365-smtp-token
http://localhost:8300/server/v0/get-office365-sharepoint-token
Redirect URLs
Azure App Registrations limit non-SSL HTTP redirect URLs to localhost. If ReportWORQ is running under HTTPS then you may adjust the server name and port which will allow Microsoft 365 Authentication to be performed from a user workstation. Otherwise use localhost, as shown above, and the one-time authentication must be performed from a browser on the machine that ReportWORQ is installed on. The ReportWORQ Administrator will need to remote into the server to perform the authentication so that the redirect URL localhost is valid.
Tasks in this section must be performed by a ReportWORQ Administrator.
To configure Microsoft 365 enabled services in ReportWORQ you must first provide the necessary provider settings and then authenticate with Microsoft 365.
Enter the Tenant Id, Client Id and Secret value.
In the Graph API area, select Authenticate, and then authenticate with Microsoft 365.
In the Outlook API area, select Authenticate, and then authenticate with Microsoft 365.
Common Authentication Errors
Did you see this message?
AADSTS50011: The redirect URI 'http://servername:8300' specified in the request does not match the redirect URIs configured for the application
This error message appears when the user attempts to authenticate and the browser URL doesn't match the redirect URL that the Azure IT Administrator entered into the Azure App Registration. The default non-SSL configuration requires that the browser address appear as http://localhost:8300. If your browser URL appears differently then you may need to remote into the server where ReportWORQ is installed and then perform this authentication step from a browser on that machine using http://localhost:8300.
Limiting Authorization Scopes
By default, ReportWORQ requests all authorization permissions (scopes) required to support its full range of integrations with Microsoft 365 applications. For example, ReportWORQ can be configured to deliver reports via Microsoft Teams or to folders on SharePoint. Your organization may or may not require use of all such integrations.
Some organizational IT policies require access to be strictly limited to required authorizations only. You can view the list of scopes requested by ReportWORQ and limit the list as required.
Graph Scopes to support ReportWORQ are as follows:
Required for ReportWORQ (mandatory):
openid — allows single sign-on (SSO) authentication.
offline_access — allows ReportWORQ to refresh user sign-ons automatically.
https://graph.microsoft.com/User.Read — allows ReportWORQ to access user profile information.
https://graph.microsoft.com/User.ReadBasic.All — allows ReportWORQ to access user profile information.
Required for ReportWORQ to use Microsoft Teams:
https://graph.microsoft.com/Team.ReadBasic.All
https://graph.microsoft.com/Channel.ReadBasic.All
https://graph.microsoft.com/ChannelMessage.Send
https://graph.microsoft.com/Chat.Create
https://graph.microsoft.com/Chat.ReadWrite
https://graph.microsoft.com/Files.ReadWrite.All
Required for ReportWORQ to use Microsoft SharePoint:
https://graph.microsoft.com/Sites.Read.All
https://graph.microsoft.com/Sites.ReadWrite.All
https://graph.microsoft.com/Files.ReadWrite.All
Required for ReportWORQ to use Graph Email for report distribution:
https://graph.microsoft.com/Mail.Send
https://graph.microsoft.com/Mail.Send.Shared
https://graph.microsoft.com/Mail.Read
https://graph.microsoft.com/Mail.ReadWrite
Microsoft 365 scopes required for using legacy Outlook functionality (POP, IMAP, and SMTP Email) are as follows:
openid
offline_access
https://outlook.office.com/IMAP.AccessAsUser.All
https://outlook.office.com/POP.AccessAsUser.All
https://outlook.office.com/SMTP.Send
To limit authorization scopes:
In Administration > Microsoft 365, select the Advanced Options button.
The Advanced Options pane appears, listing authorization scopes in two groups, Graph API and Microsoft 365.In the list of scopes, delete the ones you do not want enabled. Note which scopes you removed.
Tip: To restore the list to the default (all scopes), select Reset.Close the Advanced Options pane.
For each group of scopes you edited (Graph API and/or Outlook API), do the following:
Select Sign out.
Select Authenticate, and then sign in.
In Azure App Registration, navigate to Manage > API permissions, and do one of the following for each of the scopes you removed:
If you want to allow ReportWORQ Administrators to add the scope again in the future, select Remove permission.
If you want to prevent ReportWORQ from adding the scope again in the future, select Revoke admin consent.
Microsoft 365 Services
This step should be performed by the ReportWORQ Administrator
With the Azure App Registration created and the ReportWORQ Microsoft 365 configuration applied and authenticated, you can now begin to leverage Microsoft 365 for the following services:
Authentication
Report Providers
Distributors
Data Collection