The original design (back when SWOOP was based around a Yammer app) was to go through the Yammer login and then keep a token in the miner. This old method is deprecated and will eventually be unsupported.
As Microsoft progressed to Viva Engage, there has been increasing integration with Azure (or Microsoft Office). This article describes how to migrate.
Easy Method - Use SWOOP Multi-Tenant App
SWOOP has already set up our own multi-tenant app, which is usable on request. Contact the support desk and request migration to the multi-tenant app, you will need an Azure Administrator to go through the first miner login, and consent process, after that no additional configuration is required.
For customers using the easy method, the information below should be considered for general interest only and might be helpful to understand what happens inside Azure. Please skip down to the "First Login" section at the bottom of this article.
Difficult Method - Customer Registers Single-Tenant App
These steps are for anyone who wants more fine grained control, keeping the app registration restricted to a single tenant. It is more complicated and requires the customer to provide both App ID and Client Secret to SWOOP support. If client secrets are set to expire (based on internal security policy) then a scheduled update will be required as these expire.
This screen shot shows an example application registration.
The standard Web redirect URI for all SWOOP applications is https://oauth.swoopanalytics.com which is shown below. NOTE: this is NOT a "Single-Page" application, it is a standard web server app.
This app is set to a Single Tenant App. Implicit grants are not used.
You will need to generate a client secret and keep a copy of this. Note that depending on local security policies, that secret will need to be updated when it expires.
These are the app permissions. NOTE: the Yammer permission is what allows the app to access Yammer when a user logs in, it is a "delegated" permission therefore it always needs a user account in order to operate. The "offline_access" is what allows the token to refresh for up to 90 days. This is how the data miner collects metadata.
Optional Extra Permissions
See reference at the bottom of this page about "Native Mode" and also see this support article - https://support.swoopanalytics.com/hc/en-us/articles/4414996084877-Extending-Azure-Active-Directory-to-Synchronise-Group-Community-Members-Viva-Engage-
It might be useful to combine everything into a single app by adding in the permissions to allow very large community membership to be mined over the Microsoft Graph API. This step is not compulsory and can be added later.
Information Required by SWOOP Support.
- Tenant ID for the customer tenant (will be used in the login URL).
- Application ID from the "Overview" blade in Azure Active Directory.
- Client Secret to match this application.
First Login to Miner.
This is the login button on the data miner web page.
It will redirect to a consent screen. NOTE: the checkbox "Consent on behalf of your organization" has been ticked, which requires an admin.
The name of the app will show up on the consent form.
After the login is complete, set the account in the miner and it will keep running data mining in the background.
The same app will work for the Analytics Engine, using the same Application ID and Client Secret.
Permissions visible after login is complete.
Customers using a private Single-Tenant app can check for the green checkmark indicator which shows that this process is complete.
References
Microsoft quick-start application registration.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Microsoft OAuth2 login for standard (server-side) web applications.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Microsoft "Native Mode" concepts and migration of Yammer sites.
https://learn.microsoft.com/en-us/yammer/configure-your-yammer-network/overview-native-mode
Comments
0 comments
Please sign in to leave a comment.