Important: These steps require you to create an Azure app registration in your tenant. If you are willing to use SWOOP multi-tenant app the process can be simplified by following the steps found here.
On-premise extension attributes: After following these instructions these attributes will not be displayed on the user interface. If you require these attributes please raise a support ticket letting us know which attribute you want and what it should be called.
Administrators can add user attribute data (e.g. department, city, etc.) automatically by connecting the SWOOP miner to Azure Active Directory.
This configuration also allows group membership synchronisation using Microsoft Graph instead of the Viva Engage API. This is essential for large organisations due to the size and number of groups in such organisations.
These steps need to be carried out by the O365 Administrator.
Using the SWOOP multi-tenant app (easiest)
Instructions can be found here.
Step-by-step guide (own tenant)
Note: If you need help please raise a support ticket.
From the main Azure dashboard (https://portal.azure.com):
- Click on the 'Azure Active Directory' link on the main menu
- Click on 'App registrations'
- Click on '+ New application registration' (at the top).
- Fill in the form entering your miner URL for the 'Sign-on URL' (e.g. https://miner-[yoursite].swoopanalytics.com):
and click on 'Register' (at the bottom of the page). - On the new page you will see the 'Application (client) ID'. You will need this below.
- Click on 'API Permissions' under the 'Manage' heading on the next screen.
Note: Do not delete existing User.Read permission which is added by default. - Click '+ Add a permission'.
- Click 'Microsoft Graph' (the large box at the top).
- Click 'Application Permissions'.
- Find 'User' at the bottom then add permission 'User.Read.All' and click 'Add permissions'.
- *Find 'Group' at the bottom then add permission 'Group.Read.All'
- *Find 'GroupMember' at the bottom then add permission GroupMember.Read.All
- Click on 'Grant admin consent for (directory name)'.
- Click on 'Certificates and Secrets' and add a new client secret (you will need this below).
Note: You need the 'Value' (not the Secret ID). -
Once the application is created, go to the manifest on the left hand side and find the "publisherDomain" and record this for use below.
Your "API Permissions should now look like this:
SWOOP Miner Setup
In the SWOOP data miner do the following:
- 'Graph API' should be selected next to 'Azure Active Directory Integration'
- Copy the 'Application ID' and key value from Azure to the 'Client ID' and 'Client Secret' on the miner.
- Copy the publisherDomain value from Azure (see step 13 above) to the 'Domain' on the miner.
- Press 'Save Changes/Login'.
Your miner page should look something like this if the operation is successful:
Now select the fields that you would like to share with SWOOP.
You should also tick the 'Group Membership' box unless your Viva Engage subscription has not been migrated to Native mode.
How it works
The SWOOP data miner retrieves data from Azure AD and combines it with the sanitised data from Viva Engage. The email field is hashed and is therefore not passed to the SWOOP Analytics Engine.
Permissions
The application requires the following Microsoft graph permissions:
Permission | Type | Description |
Group.Read.All | Application | Read all groups |
GroupMember.Read.All | Application | Read all group memberships |
User.Read | Delegated | Sign in and read the user profile |
User.Read.All | Application | Read all users' full profiles |
Comments
0 comments
Please sign in to leave a comment.