Before you begin
Ultra Admin sessions are different from either a Basic User or Advanced User session in that it does not require that a 'user' signs in. Also, while those other session types use an Azure Active Directory registration created by Ytria, to enable an Ultra Admin session you must register your own application in your own tenant, selecting the Microsoft Graph permission scopes.
Control and liability
There is no "user" signed in during an Ultra Admin session, so there are real-life security implications that you should be aware of when setting up your application permissions.
You are registering the application yourself. So you can define the application permissions as you see fit. If you choose, you can register multiple applications, all with different permission profiles.
Any applications you register will be unusable until an administrator has consented to all assigned permission scopes for the application. The permission scopes shown in this document represent the maximum access potential. You can decide for yourself any limits you'd like to place on your Ultra Admin sessions. You can modify the permission scopes for the application even after admin consent has been given. Feel free to experiment.
Even after admin consent has been given for the application. sapio365 will require both the application ID and the password.
We highly recommend that you protect all application IDs and passwords so that only eligible users can use Ultra Admin sessions.
Registering your application at the v2 Azure Active Directory Endpoint
Create your application
Step 3 Click "Add an app."
Step 4 Enter your preferred app name.
Step 5 If needed, familiarize yourself with the "Microsoft Platform Policies" before proceeding.
Step 6 Click "Create."
You will now begin the process of creating your application registration
Generate your application password and prepare to add permissions
Step 1 To work with an Ultra Admin session in sapio365, you'll need a key pair for proper authentication. The app ID will identify the application and the password provided (see Step 9) will authenticate the application.
Step 2 Click "Generate New Password."
Step 3 The password for your application will appear in a dialog.
IMPORTANT: This is the only time you will see your password! sapio365 will not let you retrieve it. Take note of it now and keep it safe.
Step 4 Click "OK."
Step 5 Click "Add Platform"
Step 6 Choose "Web."
Step 7 Clear the checkbox for "Allow Implicit Flow" as it is not used by sapio365. See this article to learn more about Implicit Flow.
Step 8 In the "Redirect URLs" field, enter the following address: http://localhost:33367/AdminConsent
Once these steps are completed, you are now ready to add the permissions for your application.
Suggested application permissions
You have full flexibility to add whichever permissions you choose. The following list of permission scopes is simply a suggestion.
To learn more about these permission scopes, see the Active Directory v.2 Permission Scope Reference Guide.
For a complete Ultra Admin session experience, the following twelve permission scopes should be assigned:
Calendars.ReadWrite This permission scope allows sapio365 to see, edit and have full control of calendar entries across your Office365 tenant. As the rest of application permissions, does not require a signed-in user, but does need an admin to consent.
Contacts.ReadWrite This is the highest contact permission: it allows sapio365 to access and edit (even delete) all contacts across the Office365 tenant.
Directory.ReadWrite.All This permission ensures that sapio365 can use the ‘memberof’ method on users – to discover groups they belong to, among other rights across your tenant’s Azure Active Directory.
Files.ReadWrite.All This permission will allow sapio365 to see and have full control of all files in your Office365 tenant. Requires admin consent.
Group.ReadWrite.All This is the highest group related permission scope which will allow sapio365 to list, view and edit all group properties – without a signed in user present. As with all other permissions, this scope requires admin consent.
Mail.ReadWrite With this permission scope, sapio365 will have access to all mailboxes in your tenant. This is the equivalent of a global admin using ‘Delegated Administrator mode’ while having been added to all user mailboxes.
MailboxSettings.ReadWrite This allows sapio365 to load and let the user change mailbox settings across all mailboxes.
Member.ReadHidden This permission scope allows sapio365 to see group members where memberships have been hidden.
People.Read.All With this permission, sapio365 will be able to read users’ scored relevant people lists.
Reports.Read.AllThis permission will allow sapio365 to access Office365 reports through the Microsoft Graph API.
Sites.FullControl.All With this permission scope, sapio365 gains full access to your tenant’s SharePoint data.
User.ReadWrite.All This is the highest user permission which will allow sapio365 to list, view and edit all user properties – without a signed in user present. As with all other permissions, this scope requires admin consent.
Add your application permissions
Step 1 Remove the delegated permission "User.Read,"
Step 2 Under Application Permissions, click "Add".
Step 3 Once you have finished assigning permissions, click "OK."
Step 4 Beneath the Application Permissions section, you'll see the permissions currently assigned. You may change these later.
Step 5 The options found under the sections Profile and Advanced Options are optional.
Step 6 Click "Save" to finish the process of creating your application ID and assigning application permissions.
NEXT You can now use the information you have received in this process—application ID and password—to activate your Ultra Admin session.