Skip to main content

Microsoft 356 Integration Setup

Installation steps for the Microsoft Integration. This integration enables Single Sign-On (SSO), plus the syncing of users and their MFA status into Apollo Secure.

Written by Mark Gabriel

Step 1: Add an App Registration to Entra ID within Azure

First, we must register the Apollo Secure Application within your Microsoft 365 environment to allow access to APIs that share information about your users.

  1. Navigate to Entra ID within Azure

  2. On the left menu select App Registrations.

  3. Click + New registration and fill in the following:

    1. Add the Name “Apollo Secure”

    2. Under Supported account types, select “Accounts in this organisational directory only (Default Directory only - Single tenant)“

    3. Under Redirect URI, select “Web” and enter: https://app.apollosecure.com/oauth2callback/microsoft

  4. Press the Register button.

  5. Copy the Application (client) ID and Paste it into the field within Apollo’s Integration Setup dialogue (See Step 4 below).

  6. Copy the Directory (tenant) ID and Paste it into the field within Apollo’s Integration Setup dialogue (See Step 4 below).

Step 2: Creating a secret for app authentication

  1. On the left menu, select Certificates & secrets.

  2. Under the Client secrets tab, click + New client secret

    1. Set the expiry to the maximum duration (at least 365 days (12 months)). Once this expires, you will have to regenerate the secret and reinstall the integration in Apollo Secure (Step 4).

  3. Press the Add button to complete.

  4. Copy the Client secret value and Paste it into the field within Apollo’s Integration Setup dialogue (See Step 4 below).

Step 3: Setting up API permissions

You need to add the following permissions required by Apollo, depending on whether you want to sync your users into Apollo and/or verify whether they have MFA enabled in Microsoft, as follows:

User Sync

  • User.Read.All

  • GroupMember.Read.All

MFA Verification

  • Reports.Read.All

  • AuditLog.Read.All

  1. On the left menu, select API permissions.

  2. Click + Add permission

  3. Select the large Microsoft Graph button from the top right corner of the screen

  4. Then choose Delegated permissions

  5. Search for the first permission User.Read.All and tick the checkbox.

  6. Then repeat the process for the other permissions before pressing the Add permissions button to complete.

Step 4: Check and Complete Integration

  1. Back in the Apollo Secure application, check in Settings > Integrations > Microsoft 365 to confirm you have pasted the 3 values correctly before continuing to log in.

  2. The final step is to sign in and consent to the Apollo App to use the permissions that you have just set up.

Step 5: Limit User Access by Group

If you don't want all of your users logging in to Apollo, you can limit which users get synced into Apollo with SSO enabled by using groups in Microsoft 365.

You can use an existing group in Microsoft 365 or create a new group in Entra.

  1. Navigate to Entra ID within Azure

  2. Select Groups from the left menu

    1. Click on the group you want to sync, or

    2. Create a new group and add the desired users

  3. Copy the Object ID

  4. Paste this value into the Group ID field on the Integration Setup screen in Apollo

Did this answer your question?