Introduction

The add-in utilizes Microsoft Graph to provide some of its functionality. Specifically, the add-in requests access to reading your users mailbox, to provide functionality regarding client verification and retrieving transfers.

Registering an app in the Azure Entra Platform

1. Sign in to the Microsoft Entra Admin Center as an account that is a Cloud Application Administrator or greater.
2. If you have access to multiple tenants/directories, ensure you've selected the tenant that you wish to use Cryptshare for OWA with by clicking on the Settings cogwheel at the top.
   
   
3. Using the sidebar, navigate to Identity -> Applications -> App registrations.
   
4. Create a new registration by clicking on "New registration".
   
5. Register your app with the following parameters:
   
   • The application name may be chosen freely.
   • You may choose the supported account types according to your requirements. Depending on your selection, you will need additional information found after you've finalized the app registration in order to finalize the set-up on the Cryptshare Server.
   • You must add a redirect URI, configured as a "Single-Page Application (SPA)". The redirect URI must exactly match the one that is displayed on the Add-on products -> Cryptshare for OWA configuration page of your Cryptshare Server.
     
6. Once you've created the application, copy/store the "Application (client) ID".
   
   To enable the use of MS Graph, the add-in requires two permissions: User.Read and Mail.ReadWrite. There are two ways to grant these permissions:

   * Add-In users can confirm these permissions via a dialog when launching the add-in. In this case, no further configuration is required in Azure Entra and you can proceed with the configuration on the Cryptshare server.

• The required permissions can be granted by the administrator for all users. In this case, the dialog for granting permissions will no longer appear for users. The following steps describe how the administrator can grant permissions.

1. In the sidebar of the registered application, select "API permissions."
2. Use the 'Add a permission' button to add the delegated permissions User.Read and Mail.ReadWrite under the Microsoft Graph section, so that both appear in the list.
3. Navigate to the "Enterprise Applications" section, select your application from the list and then the "Permissions" section.
4. Use the "Grant admin consent for Pointsharp GmbH" button and confirm the requested permissions in the dialog that appears. This will grant the required permissions to the add-in for all users within your tenant.
5. Continue with configuring the newly registered app in your Cryptshare Server.

Configuring the registered app in the Cryptshare Server

OWA Add-ins use the Microsoft Entra application information that is configured within the associated Cryptshare Server.

To get started, open the Add-on products -> Cryptshare for OWA configuration page in the admin interface.

In the Application (client) ID field, enter the application ID you have retrieved from the Entra portal after registering your application.

The authority setting depends on the supported account types you have selected when registering your application on Microsoft Entra.

• If you've chosen "Accounts in this organizational directory only (Single tenant)", choose "Bound to tenant" and enter your tenant ID. You can find your tenant ID on the Overview screen of the Microsoft Entra Identity Portal.
  
• If you've chosen "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)", select "Custom" and enter https://login.microsoftonline.com/organizations/
• If you've chosen "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)", select "https://login.microsoftonline.com/common"
• If you've chosen "Personal Microsoft accounts only", select "Custom" and enter https://login.microsoftonline.com/consumers/

Make sure that you save your changes by using the Save Changes button below before exiting the webinterface.