Here are answers to some of the most popular questions about sapio365

What would you like to know? 

Ask us your own question

Here are some answers to frequently asked questions about sapio365Here are some answers to frequently asked questions about sapio365

sapio365 FAQs

General questions about sapio365

Why is sapio365 a desktop application?

Although web-based portals and interfaces are convenient, and very much in fashion, they often lack the immediacy and pure data-handling power of a compiled application.

Due to the nature of sapio365, whose approach is bringing entire tenants of data directly to the forefront, and letting you work with this data in a multitude of ways, a compiled desktop client is the only way to achieve this.

No, you can't manage your tenant from a tablet, or from your phone. What you do get is access to even multiple tenants of data at once, across multiple account sessions.

Serious Office 365 administration and management, through one dedicated client.

This also has added security benefits as well. Contrary to any number of web-based solutions, sapio365's local installation means that your data STAYS WITH YOU, and NEVER passes through another server.

Is my Office 365 data cached on my computer while using sapio365?

In trying to explain the scope of what sapio365 lets you do, we often say that sapio365 "puts all your cloud data at your fingertips." But know this, sapio365 does NOT retrieve and cache the actual content of your Office 365 tenant locally.

Each time you step through a process such as accessing the full user list, and then a selection of mail boxes, or OneDrive files, a server request is made to provide a "scan" of the properties and settings. This is to give you a "dynamic snapshot" of any given information type. No actual content is stored locally unless you choose to export the data shown in sapio365 or download files.

No tenant data is stored once your session is closed.

sapio365 is just as safe as an online browsers using cookies.

I see what looks like files in the sapio365 interface. Is what I see a copy of my OneDrive files?

No.

File-type icons are included in sapio365's grid for quick reference purposes only. sapio365 provides you with a "dynamic snapshot" of OneDrive contents. It also gives you the option to download files if you choose to do so.

Can sapio365 be automated?

We are currently working on finalizing the scope of our API, as well as how we will implement it in sapio365. Look forward to more developments in this area near Q4 2018.

Office 365 changes quite rapidly. How often are new sapio365 versions released?

We work hard to stay up to date with the latest changes in Office 365 and whether or not it is possible to implement functionality related to these changes. Currently, there is no set release schedule for sapio365. But, on the average, you can expect a couple of updates per quarter.

What are the minimum system requirements to be able to run sapio365?

sapio365 runs on Windows 7 or later. So, of course, your computer must have at least this minimum. However, we recommend that you have at least the following:

  • Free space: 200 MB on your destination drive
  • RAM: As much as possible*
  • CPU: As fast as possible*
 

*sapio365 is available in both 32-bit and 64-bit versions, and is subject to certain constraints:
The 32-bit version is limited to the memory usage limitations inherent to 32-bit.
The 64-bit version will make use of the full capacity of your system.

 

Does Ytria have any access to my Office 365 data?

No. sapio365 is a local installation and your data NEVER passes through another server. Ytria employs secure authentication methods so you can access your data with sapio365, but has no access whatsoever to any data that is retrieved using sapio365.
Ytria doesn't even have access to the sapio365 trace log, unless you choose to send a copy to us for support purposes.

Admin consent

How do I provide consent for Admin session usage?

sapio365's interface showing the New Admin Session drop-down menu with provide admin consent selected

Step 1 Once you have installed sapio365, open the application and select the command 'Give admin consent for your tenant' from the 'New Admin Session' menu.
 

Microsoft's native dialog to pick an account for credentials

Step 2 You will then be prompted to provide your credentials (account must have global administrator rights).

Microsoft's admin consent dialog showing the application permissions being consented to

Step 3 Verify the application permissions you are consenting to, and click 'Accept.'

sapio365 confirmation dialog saying Consent successfully granted

Consent is now granted tenant wide. Users will be able to open Admin sessions of sapio365.

How do I provide consent for my own Ultra Admin session usage?

sapio365's Ultra Admin Session Activation dialog

Step 1 If you are trying to start your own Ultra Admin session, just enter the proper application ID and password combination in the fields provided.

 

Step 2 Click 'Provide Admin Consent'.

sapio365's dialog Tenant information dialog with tenant name, Application ID, and Application redirect URL

Step 3 You will then be prompted to provide your tenant information, the application ID you are giving consent to, as well as specify the URL for the application redirect. To change the application redirect field, first click on the lock icon.

The URL shown is the default for sapio365. You can change it to any URL that you like, but this URL must match what is specified in the "Redirect URLs" field on the application ID creation page.

 

Step 4 Click 'OK'.

Microsoft's native dialog to pick an account for credentials

Step 5 You will need to provide the credentials for your global administrator account. Either pick your account from the list (if available) or use another another account.

Microsoft's admin consent dialog showing the application permissions being consented to

Step 6 After providing your credentials, you'll see the list of application permissions that the specific application ID requires consenting to in order to run an Ultra Admin session. Accept the consent.


Note: Full Ytria-recommended permission set is shown here. The permissions for the ID you are consenting to may vary.

sapio365 confirmation dialog saying Consent successfully granted

You will be able to open Ultra Admin sessions in sapio365 using this application ID and password. Note: Anyone who has the tenant name, application ID, and the application password will be able to use this ID for an Ultra Admin session. We advise you to keep this information secret.

How do I provide consent for others' Ultra Admin session usage?

sapio365's interface showing the New Admin Session drop-down menu with provide admin consent selected

Step 1 Once you have installed sapio365, open the application and select the command 'Give admin consent for your tenant' from the 'New Ultra Admin Session' menu.

sapio365's Tenant information dialog

Step 2 You will then be prompted to provide the information corresponding to the application ID you're giving consent to: tenant information, the application ID, as well as the URL for the application redirect. To change the application redirect field, first click on the lock icon.

The URL shown is the default for sapio365. You can change it to any URL that you like, but this URL must match what is specified in the "Redirect URLs" field on the application ID creation page.

 

Step 3 Click 'OK'

Microsoft's native dialog to pick an account for credentials

Step 4 You will need to provide the credentials for your global administrator account. Either pick your account from the list (if available) or use another account.

Microsoft's admin consent dialog showing the application permissions being consented to

Step 5 After providing your credentials, you'll see the list of application permissions that the specific application ID requires consenting to in order to run an Ultra Admin session. Accept the consent.

Note: Full Ytria-recommended permission set is shown here. The permissions for the ID you are consenting to may vary.

sapio365 dialog showing that admin consent has been granted

Users will be able to open Ultra Admin sessions in sapio365 using this application ID and password.

Application registration and ID

How do I create an application ID?

Before you begin

Ultra Admin sessions are different from either a Basic User or Admin session in that it does not require that a 'user' signs in. Also, while those other session types use an Azure Active Directory registration created by Ytria, to enable an Ultra Admin session you must register your own application in your own tenant, selecting the Microsoft Graph permission scopes.

Control and liability

There is no "user" signed in during an Ultra Admin session, so there are real-life security implications that you should be aware of when setting up your application permissions.

You are registering the application yourself. So you can define the application permissions as you see fit. If you choose, you can register multiple applications, all with different permission profiles.

Any applications you register will be unusable until an administrator has consented to all assigned permission scopes for the application. The permission scopes shown in this document represent the maximum access potential. You can decide for yourself any limits you'd like to place on your Ultra Admin sessions. You can modify the permission scopes for the application even after admin consent has been given. Feel free to experiment.

Even after admin consent has been given for the application. sapio365 will require both the application ID and the password.

We highly recommend that you protect all application IDs and passwords so that only eligible users can use Ultra Admin sessions.

Registering your application at the v2 Azure Active Directory Endpoint

Create your application

The Sign In screen for Microsoft's Application Registration Portal

Step 1 Go to apps.dev.microsoft.com.

Step 2 Sign in with your credentials.

Microsoft's My applications screen with Add an app ready to be clicked

Step 3 Click "Add an app."

Microsoft's Application Registration Portal showing the application name, a link to platform policies, and the Create button

Step 4 Enter your preferred app name.

Step 5 If needed, familiarize yourself with the "Microsoft Platform Policies" before proceeding.

Step 6 Click "Create."

You will now begin the process of creating your application registration

Generate your application password and prepare to add permissions

Microsoft's Application Registration Portal showing a new password generated

Step 1 To work with an Ultra Admin session in sapio365, you'll need a key pair for proper authentication. The app ID will identify the application and the password provided (see Step 9) will authenticate the application.

Step 2 Click "Generate New Password."

Step 3 The password for your application will appear in a dialog.
IMPORTANT: This is the only time you will see your password! sapio365 will not let you retrieve it. Take note of it now and keep it safe.

Step 4 Click "OK."

Microsoft's Application Registration Portal add platform for application

Step 5 Click "Add Platform"

Step 6 Choose "Web."

Microsoft's Application Registration Portal showing Platforms section and the redirect URLs

Step 7 Clear the checkbox for "Allow Implicit Flow" as it is not used by sapio365. See this article to learn more about Implicit Flow.

Step 8 In the "Redirect URLs" field, enter the following address:
http://127.0.0.1:33366

This is the default address used by sapio365 to complete the consent process. If you need to enter a different address, you may.

 

Once these steps are completed, you are now ready to add the permissions for your application.


Suggested application permissions

You have full flexibility to add whichever permissions you choose. The following list of permission scopes is simply a suggestion.

To learn more about these permission scopes, see the Active Directory v.2 Permission Scope Reference Guide.

For a complete Ultra Admin session experience, the following twelve permission scopes should be assigned:

Calendars.ReadWrite This permission scope allows sapio365 to see, edit and have full control of calendar entries across your Office365 tenant. As the rest of application permissions, does not require a signed-in user, but does need an admin to consent.

Contacts.ReadWrite This is the highest contact permission: it allows sapio365 to access and edit (even delete) all contacts across the Office365 tenant.

Directory.ReadWrite.All This permission ensures that sapio365 can use the ‘memberof’ method on users – to discover groups they belong to, among other rights across your tenant’s Azure Active Directory.

Files.ReadWrite.All This permission will allow sapio365 to see and have full control of all files in your Office365 tenant. Requires admin consent.

Group.ReadWrite.All This is the highest group related permission scope which will allow sapio365 to list, view and edit all group properties – without a signed in user present. As with all other permissions, this scope requires admin consent.

Mail.ReadWrite With this permission scope, sapio365 will have access to all mailboxes in your tenant. This is the equivalent of a global admin using ‘Delegated Administrator mode’ while having been added to all user mailboxes.

MailboxSettings.ReadWrite This allows sapio365 to load and let the user change mailbox settings across all mailboxes.

Member.ReadHidden This permission scope allows sapio365 to see group members where memberships have been hidden.

People.Read.All With this permission, sapio365 will be able to read users’ scored relevant people lists.

Reports.Read.All This permission will allow sapio365 to access Office365 reports through the Microsoft Graph API.

Sites.FullControl.All With this permission scope, sapio365 gains full access to your tenant’s SharePoint data.

User.ReadWrite.All This is the highest user permission which will allow sapio365 to list, view and edit all user properties – without a signed in user present. As with all other permissions, this scope requires admin consent.


Add your application permissions

Microsoft's Application Registration Portal showing the current Delegated Permisisons and the Application Permissions

Step 1 Remove the delegated permission "User.Read,"

Step 2 Under Application Permissions, click "Add".

Microsoft's Select Permission dialog in the app ID creation process

Step 3 Once you have finished assigning permissions, click "OK."

*

Step 4 Beneath the Application Permissions section, you'll see the permissions currently assigned. You may change these later.

Microsoft's Application Registration Portal screen showing the Profile options

Step 5 The options found under the sections Profile and Advanced Options are optional.

Step 6 Click "Save" to finish the process of creating your application ID and assigning application permissions.

sapio365's Ultra Admin Session Activation dialog

NEXT You can now use the information you have received in this process—application ID and password—to activate your Ultra Admin session.