Secure Token Connection
If the customer purchased a Hosted Essentials Plus or Hosted Pro license then they must grant consent to the Service Provider or Channel administrator for accessing their M365 platform. The consent is secured using Token authentication between the User Management Pack 365 SP Edition and the customer M365 tenant. The Token connection is initially established through a Token wizard using the credentials of the customer Azure account.. Once the Token connection is securely established, the account credentials can be used to create the new customer and then in Day Two for synchronizing the User Management Pack 365 SP Edition database with their M365 platform. For example, configuration of M365 Voice Routing templates or retrieving a list pf new employees added to the customer Active Directory. The Token Invitation wizard is used for establishing the Token connection with the customer M365 platform. This wizard is run at the beginning of the Onboarding process. It can be triggered using the following methods:
|
■
|
The customer provides their M365 Azure account credentials to the Service Provider. |
|
■
|
The Service Provider sends an email link directly to the customer M365 Azure account. |
The Token connection can be secured using either a customer-defined M365 Azure Service account or the M365 Azure Global admin account:
|
■
|
Service account: Using this method, the following Microsoft Graph API permissions must be consented by the customer: |
|
●
|
openid: Access directory as the signed in user. |
|
●
|
profile:Read all users' full profiles. |
See Secure Token Connection using Service Account
|
■
|
Global account: Using this method, the following Microsoft Graph API permissions must be consented by the customer: |
|
●
|
Group.ReadWrite.All: Read and write all groups. |
|
●
|
Directort.AccessAsUser.All: Access directory as the signed in user. |
|
●
|
User.Read.All: Read all users' full profiles. |
|
●
|
AppCatalog.ReadWrite.All: Read and write to all app catalogs. |
|
●
|
profile: View users' Basic profile |
|
●
|
offline_access: Maintain access to data that you have given it access to. |
In addition, the customer must consent to the following Skype and Teams Tenant Admin API permission:
|
●
|
user_impersonation: Access Microsoft Teams and Skype for Business Data as the signed in user |
See Secure Token Connection using Global admin