Skip to main content

Microsoft Setup

Configuring Microsoft Azure for use with Caddi

Updated over a week ago

Setup Instructions πŸ“”

  1. Navigate to Microsoft Entra in the Azure portal here

  2. In the left bar, navigate to Identity > Applications > App Registrations

3. Click the New Registration button on the next page

4. Enter a name for the application, select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) , and provide a redirect URI (select Web) then click Register

5. Skip API permissions for now, see Permissions section of this article below to update.

6. On the Overview page, grab the Application (client) ID - this is the Oauth client ID

7. Click the Add a certificate or secret link, then click New client secret on the next page

8. Give the client secret a name and select an expiration time from the dropdown (default is fine)

9. Copy the new secret - this is the oauth client secret

Note that under the Authorization tab you should not tick the Access Tokens or ID Tokens boxes!

Permissions

How to add the required scopes

On the API Permissions page click Add a permission, then in the new panel click Microsoft Graph

On the next page of the panel, click Delegated permissions and then select all 4 OpenId permissions (offline_access, email, openid, and profile). Then search for the User.Read permission and add it. These 5 permissions are the mininum needed in order to be able to sign in with this Oauth application. Other permissions specific to individual APIs (such as Outlook or Teams) will be required as outlined at the end of this article.

Scopes to add

Microsoft provides a wide array of permissions spread across many possible APIs. We recommend selecting all of the scopes listed below for a given API for best compatibility with Caddi.

Items marked with a lock icon πŸ”’ indicate that a scope requires admin approval. This will only be necessary one time per scope, as the admin approval applies to the entire Oauth application, not just the user that requested it.

Teams

  • Member management

    • TeamMember.ReadWriteNonOwnerRole.All πŸ”’ - add/remove members with non-owner roles

  • Activity management (IE notifications)

  • Chats/messages for 1:1 and groups

    • Chat.ReadWrite - read and write user chat messages (1:1 and group, not channels)

    • Chat.Create - create chats

    • ChatMember.ReadWrite πŸ”’ - add and remove members from chats

  • Channels (separate from 1:1 and groups)

    • ChannelMessage.ReadWrite πŸ”’ - read and write messages in channels

    • Channel.Create πŸ”’ - create a new channel

    • Channel.Delete.All πŸ”’ - delete a channel

    • Channel.ReadBasic.All - read the names/descriptions of channels

  • Contacts

    • Contacts.ReadWrite - full access to user contacts

    • Contacts.ReadWrite.Shared - as above, but also for shared contacts

  • Calendars

    • Calendars.ReadWrite - full access to user calendars

    • Calendars.ReadWrite.Shared - and shared calendars

  • Meetings

    • OnlineMeetings.ReadWrite - read and create meetings

    • OnlineMeetingTranscript.Read.All πŸ”’- read meeting transcripts

  • Schedule (not full calendar)

    • Schedule.ReadWrite.All πŸ”’- read and write schedule items

  • Files (upload/download files to chat)

    • Files.ReadWrite.All - full access to user’s files including ones created by other users (that the current user has permissions to)

  • Users

    • User.Read.All - read all information from all users (e.g. get the email of the person in the Teams chat so you can send them an email)

Outlook

  • Mail

    • MailboxFolder.ReadWrite - read and write folders

    • MailboxItem.Read - read mailbox items

    • Mail.ReadWrite - create, read, update, and delete emails (not including sending)

    • Mail.ReadWrite.Shared - same, but also for shared mail/mail boxes

    • Mail.Send - send emails

    • Mail.Send.Shared - same, but also for shared mail/mail boxes

  • Contacts

    • Contacts.ReadWrite - manage contacts

    • Contacts.ReadWrite.Shared - same, but also for shared contacts

OneNote

  • Notes.ReadWrite.All - create, read, update, and delete notes and notebooks

SharePoint

  • Sites

    • Sites.ReadWrite.All - edit/delete items in site collections

    • Sites.FullControl.All πŸ”’ - full control of site collections

  • Files

    • Files.ReadWrite.All

  • Lists and ListItems

    • ListItems.SelectedOperations.Selected - access selected listitems

    • Lists.SelectedOperations.Selected - access selected lists

OneDrive and O365

These APIs only support one scope:

  • Files.ReadWrite.All - create, read, update, and delete files

Specific applications in the Office suite such as Word or Excel are not API-driven. Caddi Smart Tools will be used for these interactions.

Application and Permissions Approval/Consent Guidance

Azure Entra ID Permissions Configuration for Caddi

Quick Start Guide

This guide covers the essential permission configurations required for Caddi in Azure Entra ID at both the organization and application levels.

Organization-Level Permissions

Navigate to Entra ID β†’ Enterprise Applications to configure the following:

1. Admin Consent Request Management

Path: Activity β†’ Admin consent requests
​Action: Configure approval workflow for application access requests across your Azure organization.

2. User Consent Settings

Path: Security β†’ Consent and permissions β†’ User consent settings
​Action: Configure user consent controls.

⚠️ Important: If enforcing admin consent, do NOT select "Allow user consent for apps" - proceed to Admin consent settings instead.

3. Admin Consent Settings

Path: Security β†’ Consent and permissions β†’ Admin consent settings
​Required Configuration:

  • Set "Users can request admin consent to apps they are unable to consent to" to Yes

  • Without this setting, users cannot access applications when admin consent is enforced

Additional Configuration:

  • Assign appropriate users/roles/groups as consent approvers (applies organization-wide)

  • App-specific approvers can be configured separately

4. Permission Classifications

Path: Security β†’ Consent and permissions β†’ Permission classifications
​Action: Verify that required permissions are not classified as high-risk, which could block consent prompts.

Application-Specific Permissions (Caddi)

Navigate to Entra ID β†’ Enterprise Applications β†’ [Caddi Application] to configure:

1. Application Properties

Path: Manage β†’ Properties
​Required Settings:

  • "Enabled for users to sign-in": Yes

  • "Assignment required?": Configure based on organizational requirements

2. Self-Service Access

Path: Manage β†’ Self-service
​Required Settings:

  • "Allow users to request access to this application?": Yes

  • "To which group should assigned users be added?": Create and assign a dedicated Caddi group

  • "Require approval before granting access to this application?": If Yes, ensure approvers are configured

  • "Default Access role": Standard configuration is sufficient

3. Application Permissions

Path: Security β†’ Permissions
​Optional Action: Click "Grant admin consent for Caddi" to pre-approve permissions for all users

4. Access Reviews

Path: Activity β†’ Access reviews
​Action: Monitor and audit user access and permission levels

General Recommendations for Standard Organizations

For organizations with standard security requirements, the following configuration provides a good balance of security and user convenience:

Recommended Settings

  • User consent settings: Allow user consent for apps from verified publishers

  • Assignment required?: Set to No for easier user onboarding

  • Self-service access: Enable with automatic approval (no approvers required)

  • Admin consent: Pre-grant admin consent for Caddi to eliminate permission prompts

  • Dedicated group: Optional - only create if you need to track or manage Caddi users specifically

Benefits of This Approach

  • Users can access Caddi immediately without waiting for approvals

  • Reduces administrative overhead

  • Maintains reasonable security through verified publisher requirements

  • Simplifies the user experience

Recommendations for Organizations with Strict Permission Controls

Essential Configuration

  • Enable admin consent requests in admin consent settings - without this, users cannot request access when admin consent is enforced

  • Create a dedicated Caddi user group for simplified access management and clear visibility

  • Test the consent workflow early with an end-user to ensure smooth deployment

Simplifying Access Management

Access to the application and permission consent are separate processes. To streamline administration:

  • Pre-approve application permissions (grant admin consent)

  • Require approval only for application access (group membership)

  • This approach allows admins to focus solely on group membership management

Critical Warning

⚠️ Incorrect configuration combinations will prevent user access. Test thoroughly with a basic-permission test account or actual end-user before widespread deployment to avoid access issues during onboarding.

Related Articles
Connecting your Accounts
Laserfiche Setup
Ringcentral Setup
DocuSign Setup
Caddi Product Limitations
Did this answer your question?