Admins | How do I allow new Graph API permissions for my Office org?
Overview
Microsoft is decommissioning the Outlook REST API. Organizations currently utilizing the REST API Office connection must transition to Microsoft Graph API to prevent disruption to core Cirrus Insight features before Nov. 15, 2022.
Important Dates
-
On Nov. 15, 2022, Cirrus Insight will enable Graph API for all existing organizations.
-
New user connections will automatically request Graph API permissions. Without the necessary Office app approval, users in affected orgs may face errors and interrupted functionality.
-
-
On Nov. 30, 2022, Microsoft will decommission the Outlook REST API.
-
Key features like Scheduling, Email Sync, Calendar Sync, and Task Sync will stop working until users can re-authenticate with Graph API permissions.
-
Who’s Affected?
Most orgs are already set up with Graph API and no action is required.
However, you’ll need to work with your Office Admin to follow the 3-part Graph API transition plan below if you meet all these conditions:
-
Your org started using Cirrus Insight before Sept. 1, 2021.
-
Orgs that started using Cirrus Insight after Sept. 1, 2021 are already set up with Graph.
-
-
Users connect Office & Cirrus Insight via individual connections (not service account).
-
Orgs that connect users via Office service account in Admin Dashboard → Service Accounts are already set up with Graph.
-
-
Your Office application settings require Admin authorization.
-
In MS Azure Active Directory, the setting “User can consent to apps accessing company data on their behalf” is set to “No.”
-
Transition Steps
I. Office Admin Consent
Decide how Cirrus Insight will be allowed at the Office org level with one of the below methods.
-
For details about permissions, review the Permissions Comparison section below.
| A. In-app Admin Approval |
B. Admin Consent Workflow |
C. User Consent Enablement |
| This method allows the Office Admin to easily authorize Cirrus Insight on behalf of the org without the need for Office setup steps. | This method requires the Office Admin to set up an Office workflow that allows users to request permission to access Cirrus Insight (each of which the Admin would have to approve). | This method allows end users to register consent for Add-ins on their own. |
|
The Office Admin would need to complete the below steps: 1. Sign into Cirrus Insight Dashboard > My Profile 2. Click the Connections globe in the upper right. 3. Select Connect your Office 365. 4. Approve permissions with O365 Admin profile and choose to authorize on behalf of the org. |
The Office Admin would need to complete the steps in this Microsoft guide: |
The Office Admin would need to complete the steps in this Microsoft guide: Managing user consent to apps in Microsoft 365 - Microsoft 365 admin |
II. Support Enablement
Request Graph API enablement from Cirrus Insight Support.
-
Start a Support chat from any page on http://cirrusinsight.com .
-
Starting Nov. 15, 2022, this step will occur automatically.
III. New User Authorizations
With sufficient access set up in Section I above, users simply need to end their previous connections and reconnect with Graph API. They should take these steps:
1. Navigate to Cirrus Insight Dashboard → My Profile (sign in if prompted).
2. Click the Connections globe icon in the top right.
3. Select Disconnect just below your Office 365 account (under Email connections).
4. Select Reconnect for your Office 365 account. Sign in with your email credentials and accept the necessary permissions.
5. Look for a green dot to the right of your Office 365 account to verify a successful connection.
This completes the transition to Graph API.
Permissions Comparison
| Old permissions scope (Outlook REST API) |
New permissions scope (Graph API) |
.png?width=520&upscale=true&name=image-20220912-202357%20(1).png) |
.png?width=520&upscale=true&name=image-20220912-202543%20(2).png) |
Expanded permissions details:
-
Mail.Send is required for Email Blast.
-
MailboxSettings.Read is required for Calendar Sync (Timezone Retrieval, Category Retrieval) and Email Sync (Category Retrieval).