Here are answers to some of the most popular questions about sapio365

What would you like to know? 

Ask us your own question

Here are some answers to frequently asked questions about sapio365Here are some answers to frequently asked questions about sapio365

sapio365 FAQs

General questions about sapio365

Why is sapio365 a desktop application?

Although web-based portals and interfaces are convenient, and very much in fashion, they often lack the immediacy and pure data-handling power of a compiled application.

Due to the nature of sapio365, whose approach is bringing entire tenants of data directly to the forefront, and letting you work with this data in a multitude of ways, a compiled desktop client is the only way to achieve this.

No, you can't manage your tenant from a tablet, or from your phone. What you do get is access to even multiple tenants of data at once, across multiple account sessions.

Serious Office 365 administration and management, through one dedicated client.

This also has added security benefits as well. Contrary to any number of web-based solutions, sapio365's local installation means that your data STAYS WITH YOU, and NEVER passes through another server.

Is my Office 365 data cached on my computer while using sapio365?

In trying to explain the scope of what sapio365 lets you do, we often say that sapio365 "puts all your cloud data at your fingertips." But know this, sapio365 does NOT retrieve and cache the actual content of your Office 365 tenant locally.

Each time you step through a process such as accessing the full user list, and then a selection of mail boxes, or OneDrive files, a server request is made to provide a "scan" of the properties and settings. This is to give you a "dynamic snapshot" of any given information type. No actual content is stored locally unless you choose to export the data shown in sapio365 or download files.

No tenant data is stored once your session is closed.

sapio365 is just as safe as an online browsers using cookies.

I see what looks like files in the sapio365 interface. Is what I see a copy of my OneDrive files?

No.

File-type icons are included in sapio365's grid for quick reference purposes only. sapio365 provides you with a "dynamic snapshot" of OneDrive contents. It also gives you the option to download files if you choose to do so.

Can sapio365 be automated?

We are currently working on finalizing the scope of our API, as well as how we will implement it in sapio365. Look forward to more developments in this area near Q4 2018.

Office 365 changes quite rapidly. How often are new sapio365 versions released?

We work hard to stay up to date with the latest changes in Office 365 and whether or not it is possible to implement functionality related to these changes. Currently, there is no set release schedule for sapio365. But, on the average, you can expect a couple of updates per quarter.

What are the minimum system requirements for running sapio365?

sapio365 runs on Windows 7 or later. So, of course, your computer must have at least this minimum. However, we recommend that you have at least the following:

  • Free space: 200 MB on your destination drive
  • RAM: As much as possible*
  • CPU: As fast as possible*
 

*sapio365 is available in both 32-bit and 64-bit versions, and is subject to certain constraints:
The 32-bit version is limited to the memory usage limitations inherent to 32-bit.
The 64-bit version will make use of the full capacity of your system.

 

Does Ytria have any access to my Office 365 data?

No. sapio365 is a local installation and your data NEVER passes through another server. Ytria employs secure authentication methods so you can access your data with sapio365, but has no access whatsoever to any data that is retrieved using sapio365.

Ytria doesn't even have access to the sapio365 trace log, unless you choose to send a copy to us for support purposes.

Admin consent

How do I provide consent for Admin session usage?

Step 1 Once you have installed sapio365, open the application and select the command 'Give admin consent for your tenant' from the 'New Admin Session' menu.
 

Microsoft's native dialog to pick an account for credentials

Step 2 You will then be prompted to provide your credentials (account must have global administrator rights).

Microsoft's admin consent dialog showing the application permissions being consented to

Step 3 Verify the application permissions you are consenting to, and click 'Accept.'

sapio365 confirmation dialog saying Consent successfully granted

Consent is now granted tenant wide. Users will be able to open Admin sessions of sapio365.

How do I provide consent for my own Ultra Admin session usage?

sapio365's Ultra Admin Session Activation dialog

Step 1 If you are trying to start your own Ultra Admin session, just enter the proper application ID and password combination in the fields provided.

 

Step 2 Click 'Provide Admin Consent'.

sapio365's dialog Tenant information dialog with tenant name, Application ID, and Application redirect URL

Step 3 You will then be prompted to provide your tenant information, the application ID you are giving consent to, as well as specify the URL for the application redirect. To change the application redirect field, first click on the lock icon.

The URL shown is the default for sapio365. You can change it to any URL that you like, but this URL must match what is specified in the "Redirect URLs" field on the application ID creation page.

 

Step 4 Click 'OK'.

Microsoft's native dialog to pick an account for credentials

Step 5 You will need to provide the credentials for your global administrator account. Either pick your account from the list (if available) or use another another account.

Microsoft's admin consent dialog showing the application permissions being consented to

Step 6 After providing your credentials, you'll see the list of application permissions that the specific application ID requires consenting to in order to run an Ultra Admin session. Accept the consent.


Note: Full Ytria-recommended permission set is shown here. The permissions for the ID you are consenting to may vary.

sapio365 confirmation dialog saying Consent successfully granted

You will be able to open Ultra Admin sessions in sapio365 using this application ID and password. Note: Anyone who has the tenant name, application ID, and the application password will be able to use this ID for an Ultra Admin session. We advise you to keep this information secret.

How do I provide consent for others' Ultra Admin session usage?

sapio365's interface showing the New Admin Session drop-down menu with provide admin consent selected

Step 1 Once you have installed sapio365, open the application and select the command 'Give admin consent for your tenant' from the 'New Ultra Admin Session' menu.

sapio365's Tenant information dialog

Step 2 You will then be prompted to provide the information corresponding to the application ID you're giving consent to: tenant information, the application ID, as well as the URL for the application redirect. To change the application redirect field, first click on the lock icon.

The URL shown is the default for sapio365. You can change it to any URL that you like, but this URL must match what is specified in the "Redirect URLs" field on the application ID creation page.

 

Step 3 Click 'OK'

Microsoft's native dialog to pick an account for credentials

Step 4 You will need to provide the credentials for your global administrator account. Either pick your account from the list (if available) or use another account.

Microsoft's admin consent dialog showing the application permissions being consented to

Step 5 After providing your credentials, you'll see the list of application permissions that the specific application ID requires consenting to in order to run an Ultra Admin session. Accept the consent.

Note: Full Ytria-recommended permission set is shown here. The permissions for the ID you are consenting to may vary.

sapio365 dialog showing that admin consent has been granted

Users will be able to open Ultra Admin sessions in sapio365 using this application ID and password.

Application registration and ID

How do I create an application ID?

Before you begin

Ultra Admin sessions are different from either a Basic User or Admin session in that it does not require that a 'user' signs in. Also, while those other session types use an Azure Active Directory registration created by Ytria, to enable an Ultra Admin session you must register your own application in your own tenant, selecting the Microsoft Graph permission scopes.

Control and liability

There is no "user" signed in during an Ultra Admin session, so there are real-life security implications that you should be aware of when setting up your application permissions.

You are registering the application yourself. So you can define the application permissions as you see fit. If you choose, you can register multiple applications, all with different permission profiles.

Any applications you register will be unusable until an administrator has consented to all assigned permission scopes for the application. The permission scopes shown in this document represent the maximum access potential. You can decide for yourself any limits you'd like to place on your Ultra Admin sessions. You can modify the permission scopes for the application even after admin consent has been given. Feel free to experiment.

Even after admin consent has been given for the application. sapio365 will require both the application ID and the password.

We highly recommend that you protect all application IDs and passwords so that only eligible users can use Ultra Admin sessions.

Registering your application at the v2 Azure Active Directory Endpoint

Create your application

The Sign In screen for Microsoft's Application Registration Portal

Step 1 Go to apps.dev.microsoft.com.

Step 2 Sign in with your credentials.

Microsoft's My applications screen with Add an app ready to be clicked

Step 3 Click "Add an app."

Microsoft's Application Registration Portal showing the application name, a link to platform policies, and the Create button

Step 4 Enter your preferred app name.

Step 5 If needed, familiarize yourself with the "Microsoft Platform Policies" before proceeding.

Step 6 Click "Create."

You will now begin the process of creating your application registration

Generate your application password and prepare to add permissions

Microsoft's Application Registration Portal showing a new password generated

Step 1 To work with an Ultra Admin session in sapio365, you'll need a key pair for proper authentication. The app ID will identify the application and the password provided (see Step 9) will authenticate the application.

Step 2 Click "Generate New Password."

Step 3 The password for your application will appear in a dialog.
IMPORTANT: This is the only time you will see your password! sapio365 will not let you retrieve it. Take note of it now and keep it safe.

Step 4 Click "OK."

Microsoft's Application Registration Portal add platform for application

Step 5 Click "Add Platform"

Step 6 Choose "Web."

Microsoft's Application Registration Portal showing Platforms section and the redirect URLs

Step 7 Clear the checkbox for "Allow Implicit Flow" as it is not used by sapio365. See this article to learn more about Implicit Flow.

Step 8 In the "Redirect URLs" field, enter the following address:
http://127.0.0.1:33366

This is the default address used by sapio365 to complete the consent process. If you need to enter a different address, you may.

 

Once these steps are completed, you are now ready to add the permissions for your application.


Suggested application permissions

You have full flexibility to add whichever permissions you choose. The following list of permission scopes is simply a suggestion.

To learn more about these permission scopes, see the Active Directory v.2 Permission Scope Reference Guide.

For a complete Ultra Admin session experience, the following twelve permission scopes should be assigned:

Calendars.ReadWrite This permission scope allows sapio365 to see, edit and have full control of calendar entries across your Office365 tenant. As the rest of application permissions, does not require a signed-in user, but does need an admin to consent.

Contacts.ReadWrite This is the highest contact permission: it allows sapio365 to access and edit (even delete) all contacts across the Office365 tenant.

Directory.ReadWrite.All This permission ensures that sapio365 can use the ‘memberof’ method on users – to discover groups they belong to, among other rights across your tenant’s Azure Active Directory.

Files.ReadWrite.All This permission will allow sapio365 to see and have full control of all files in your Office365 tenant. Requires admin consent.

Group.ReadWrite.All This is the highest group related permission scope which will allow sapio365 to list, view and edit all group properties – without a signed in user present. As with all other permissions, this scope requires admin consent.

Mail.ReadWrite With this permission scope, sapio365 will have access to all mailboxes in your tenant. This is the equivalent of a global admin using ‘Delegated Administrator mode’ while having been added to all user mailboxes.

MailboxSettings.ReadWrite This allows sapio365 to load and let the user change mailbox settings across all mailboxes.

Member.ReadHidden This permission scope allows sapio365 to see group members where memberships have been hidden.

People.Read.All With this permission, sapio365 will be able to read users’ scored relevant people lists.

Reports.Read.All This permission will allow sapio365 to access Office365 reports through the Microsoft Graph API.

Sites.FullControl.All With this permission scope, sapio365 gains full access to your tenant’s SharePoint data.

User.ReadWrite.All This is the highest user permission which will allow sapio365 to list, view and edit all user properties – without a signed in user present. As with all other permissions, this scope requires admin consent.


Add your application permissions

Microsoft's Application Registration Portal showing the current Delegated Permisisons and the Application Permissions

Step 1 Remove the delegated permission "User.Read,"

Step 2 Under Application Permissions, click "Add".

Microsoft's Select Permission dialog in the app ID creation process

Step 3 Once you have finished assigning permissions, click "OK."

*

Step 4 Beneath the Application Permissions section, you'll see the permissions currently assigned. You may change these later.

Microsoft's Application Registration Portal screen showing the Profile options

Step 5 The options found under the sections Profile and Advanced Options are optional.

Step 6 Click "Save" to finish the process of creating your application ID and assigning application permissions.

sapio365's Ultra Admin Session Activation dialog

NEXT You can now use the information you have received in this process—application ID and password—to activate your Ultra Admin session.

Consultant token packs

 

What are action tokens?

Action tokens provide you with a cost-effective alternative to sapio365's standard license system. Tokens are essentially prepaid sapio365 actions that you can use whenever and however you want.

Tokens allow consultants the freedom to work across their entire tenant load without limits. There is no need to prioritize clients based on their Office 365 user base, as a standard license is based on this. With a token-based license there are no limits on tenant amount.

With this pay-as-you-go system, you don't have to commit to anything. And you can budget your sapio365 usage and access in a much more granular way. All this without limits on the number of tenants you can work with.

What is an "action" when it comes to using my sapio365 tokens?

It's actually quite easy to remember if you think about it this way. In sapio365 there are information retrieval/push actions, such as loading users or groups; loading messages, group memberships, OneDrive files; and reloading grid information or modifying users or groups. And there are data manipulation actions, which include things like filtering, sorting, and categorization of data within an already-open grid.

Tokens are only used for information retrieval actions.

More specifically, each initial data load of 500 entries (e.g. loading the list of users or groups) from the "home" screen will use one token.

 

And every time a different "type" of data is retrieved (such as user messages, group memberships, OneDrive files, etc.) in a "sub-module" view, one token is used.

 

Here's a quick rundown of a process of seeing your users' group memberships and making changes in sapio365, with the number of tokens it would take to complete it:

Let's say your tenant contains 2000 Office 365 users.

  1. Loading the 2000 Office 365 users in your tenant is four tokens.
  2. Loading the group memberships for a selection of these users is one token (regardless of the number of users).
  3. In the view showing group memberships, manipulating the data shown using filters or categorization will not use a token.
  4. Working with group memberships for any number of users will not use a token until you save your modifications.

Following the simple process above will use a total of 6 tokens.

 

sapio365 monthly and annual subscription plans

How many times can I install sapio365?

With a sapio365 subscription license, you can install sapio365 as many times as needed. The only limitations for this type of license are the number of tenants, and the total number of Office 365 users, all tenants combined.

What types of information do I have to provide to use a sapio365 subscription license?

If you have purchased a subscription license, you will have to link to your license the tenants* you wish to access with sapio365.

If you sign in with an account on a tenant that is not linked to your license, you will be prompted to configure your license to include this tenant.*

Please note: you can only make changes to this configuration once a month.

 

*This only applies to tenants with over 50 users. sapio365 is free to use on tenants with up to 50 Office 365 users. You will not be asked to configure your license for these tenants.

How many tenants can I link up to a sapio365 license?

sapio365 subscription licenses can be linked to up to 10 Office 365 tenants at once. If you need to work with more than 10 tenants, please contact Ytria sales.

Are there any other restrictions on linking tenants to my license other than the user and tenant count?

You can change the tenants that a sapio365 license is linked to once a month. Once a change has been made to your tenant list, you'll need to wait a full month before making another change.

How can I increase the Office 365 user cap on my license? What about decreasing the allowed user count?

You can change the total number of Office 365 users authorized for your sapio365 license directly within sapio365 itself. 

In the sapio365 backstage tab, go to 'About sapio365 > License Modification.' From there you will be able to change the Office 365 user capacity of your license.

Here's how:

Change your license capacity directly within sapio365

Step 1: Enter your requested user capacity. You can choose to either reduce or increase the capacity.

 

Step 2: Choose when you would like the change to take effect.
A capacity reduction will only take place at the start of the next billing cycle. No refunds will be given. 
For a capacity increase, if you choose to have the change take effect at the start of the next billing cycle, you will not be charged anything at this time. If you choose immediately, you will be billed the difference once your change is verified.

 

Step 3: (optional): Click 'Preview Pricing' to see a preview of what you will be charged if you apply your changes.

 

Step 4: Enter your Cleverbridge Subscription Reference ID#. No changes will be made unless you provide this number. You can find this number in your original subscription confirmation email and invoice.

 

Step 5: Apply your changes.

 

Further action is required! Once you apply your changes, a confirmation email containing a validation link will be sent to the email associated with the license. Your changes will NOT be applied unless validated through this link.