Create a Graph OAuth Connection to Riva Cloud

Article ID: 2310

Last updated: 24 Jan, 2023

Contents:

Multi-Factor Authentication.
Create the Microsoft 3650 Graph OAuth connection on Riva Cloud.
How to limit specific Mailbox and User access when using "Application Permissions".
List of Microsoft Exchange Online Application Scopes requested.

Multi-Factor Authentication (MFA)

If your company requires Multi-Factor Authentication for the Riva connection account to Office 365, then you will be required to validate the account via the MFA mechanism (phone token or email address) when creating the connection.

Alternatively, you could submit a request to your Exchange/Azure administrator to exclude your service account from requiring MFA.

Create the Graph OAuth Connection on Riva Cloud

To create the Graph OAuth connection:

Log in to https://www.rivacloud.com. (Detailed instructions to log in or sign in)
On the Get Started page, select Configure your email.

(Another way of accessing the page to configure the email would be to click on the dropdown beside the Synchronization category in the side navigation menu and then select Connections)
Select the Office 365 Graph Connection logo.
On the Connection page that appears, input the administrator email and select Connect.
In one or more Microsoft windows that appear, enter the information required to access the desired Office 365 account.

Note: The required information may include Multi-Factor Authentication (MFA).
If you see these Permissions requested page, select Accept.
The connection setup is successful, select OK.

Result: The Office 365 Graph OAuth connection is added to your Riva Cloud account.

How to limit specific Mailbox and User access when using "Application Permissions"

When using "Application Scoped" permissions, there is a common concern that the application itself will have access to all mailboxes.

There are controls specific to Exchange Online resources that do not apply to other Microsoft Graph workloads.

For the specific Exchange Online scopes (including MailboxSettings.*, Mail.*, Calendar.*, Contact.*, and, Task.*), it is possible to limit the "Application Scoped" permission to specific Users and Mailbox by using the "Exchange Application Access Policy."

Details on how to use the "Exchange Online Application Access Policy", https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

Refer to this Riva article for more specific details, https://kb.omni-ts.com/entry/2344/

List of Microsoft Exchange Online Application Scopes requested

Below is a list of default Riva Cloud requested application scopes and a description of their purposes.

Note: For Riva Cloud customers looking to adjust and limit scope access, please contact the Riva technical support team for guidance.

Permission	Permission Type	Description
User.Read.All	Application	To lookup "email addresses" to Microsoft mailbox.
User.Read	Delegated	Sign in and read the user profile. Part of the Azure App registration process.
Calendar.ReadWrite	Application	Used to synchronize calendar items; Depending on requirements, can be limited to Calendar.Read
Mail.ReadWrite	Application	Used to synchronize email items; Depending on requirements, can be limited to Mail.Read
Mail.Send	Application	Send mail as the user.
MailboxSettings.ReadWrite	Application	Read and write mailbox settings including Categories, Time Zone and Work Hours.
Contacts.ReadWrite	Application	Used to synchronize contact items; Depending on requirements, can be limited to Contacts.Read
GroupMember.Read.All	Application	Expanding distribution lists to receive their members and for "User Gathering" process which read group memberships.

This article was: Helpful | Not helpful

Report an issue

Article ID: 2310

Last updated: 24 Jan, 2023

Revision: 17

Comments: 0

« Set Up a Connection Group for Impersonation Sync: Riva

Microsoft Graph: Limiting Azure Application Scope permissions to... »