This document details the permissions and user role required to connect to TTR for both our SaaS product and our self-hosted solution.
Self-hosted: This document details the steps of creating an Azure APP to access O365 Mail APIs, configuring a TTR portal instance to communicate with the Azure APP and then having the customer authenticate with an O365 account with limited admin permissions to perform a bulk upload of O365 agents.
If the customer is to be hosted on their own platform a new Azure App needs to be created.
If the customer is to be hosted on the portal.timetoreply™.com SaaS platform jump directly to step 6 of this document as you will leverage off the existing Azure app created for the TTR SaaS portal.
1. Create a standard Azure app under App Registrations under Azure Active Directory
2. Add the following redirect-URLs
Replace ‘portal-url’ with the actual URL of the customer’s hosted web portal
3. In Authentication Settings, tick the following checkboxes under Advanced Settings
4. Under API permissions add the following MS Graph API scopes
5. Under Certificates & Secrets generate a new client secret
6. In Azure AD assign the ‘Privileged role administrator’ role to an account
7. Add the Application Client ID & Secret to environment file used by the portal.
The following parameters will be set:
More detail about the privileged role administrator role:
This role grants the ability to manage assignments for all Azure AD roles including the Global Administrator role. This role does not include any other privileged abilities in Azure AD like creating or updating users. However, users assigned to this role can grant themselves or other additional privileges by assigning additional roles.
Create and delete all resources, and read and update standard properties in microsoft.aad.privilegedIdentityManagement.
Read and configure servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
Read and configure servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory.
Create and manage administrative units (including members)
Create and manage role assignments.
Create and manage role definitions.
After a customer has authenticated using a Privileged Administrator account via the timetoreply™ Portal, a token is stored for that administrator account in the database.
The timetoreply™ system does not store username or password information for administrator accounts.
Each time the ‘O365 Agent Bulk Add’ section is accessed the token is invoked to poll the domain.
For Agents added via the bulk add method, as well as those added individually, a token created is for their individual account.
Tokens created for agents added via the bulk add method become the child to the parent token created by the administrator account used to authenticate for the Office 365 domain.
Once the timetoreply™ solution is deployed, external access to the application database will be closed off by the customer.
Tokens generated by the timetoreply™ system will never leave the customer’s network and will be inaccessible externally.
Token access can be revoked at any time from the o365 admin dashboard or via the TTR dashboard (Settings -> Email Service Authentication -> View Microsoft Authentications -> Delete the relevant credential.)