Microsoft 365 Plugin Configuration Guide

This guide explains how to configure Azure Active Directory (Microsoft Entra ID) to allow the ActivityPulse MS365 plugin to authenticate and fetch user activity data.

Prerequisites

• Azure Active Directory tenant with Microsoft 365 subscription
• Global Administrator or Application Administrator role in Azure AD
• Access to the Microsoft Entra admin center (https://entra.microsoft.com)

Overview

The MS365 plugin uses OAuth 2.0 Client Credentials flow to authenticate with Microsoft Graph API. This requires:

1. Tenant ID - Your Azure AD tenant identifier
2. Client ID - The Application (client) ID of your registered app
3. Client Secret - A secret key for authentication

Step 1: Register an Application in Azure AD

1.1 Navigate to App Registrations

1. Go to the Microsoft Entra admin center
2. Sign in with your administrator account
3. In the left navigation, expand Identity > Applications
4. Click App registrations

1.2 Create New Registration

1. Click + New registration
2. Enter the following details:

• Name: ActivityPulse MS365 Plugin (or your preferred name)
• Supported account types: Select Accounts in this organizational directory only (Single tenant)
• Redirect URI: Leave blank (not needed for client credentials flow)

3. Click Register

1.3 Note the Application IDs

After registration, you’ll see the Overview page. Note down these values:

Field	Description	Example
Application (client) ID	This is your Client ID	abcdef12-3456-7890-abcd-ef1234567890
Directory (tenant) ID	This is your Tenant ID	12345678-1234-1234-1234-123456789abc

Step 2: Create a Client Secret

2.1 Navigate to Certificates & Secrets

1. In your app registration, click Certificates & secrets in the left menu
2. Click the Client secrets tab

2.2 Create New Secret

1. Click + New client secret
2. Enter a description (e.g., ActivityPulse Production)
3. Select an expiration period:

• Recommended: 24 months (you’ll need to rotate before expiry)
• Note: Microsoft no longer allows “Never” expiration

4. Click Add

2.3 Copy the Secret Value

IMPORTANT: Copy the Value immediately. This is your Client Secret.

You will NOT be able to see this value again after leaving this page. If you lose it, you must create a new secret.

Field	What to copy
Value	This is your Client Secret (long string like abc123~...)
Secret ID	Not needed for ActivityPulse

Step 3: Configure API Permissions

3.1 Navigate to API Permissions

1. In your app registration, click API permissions in the left menu
2. Click + Add a permission

3.2 Add Microsoft Graph Permissions

1. Select Microsoft Graph
2. Select Application permissions (NOT Delegated permissions)
3. Add the following permissions:

Required Permissions

Permission	Purpose
Reports.Read.All	Read Teams, Email, OneDrive, and SharePoint activity reports

Recommended Additional Permissions

Permission	Purpose
AuditLog.Read.All	Read sign-in logs (login events)
Directory.Read.All	Read user information for enrichment
AuditLogsQuery.Read.All	Read audit logs data from all services

Optional Permissions (for Calendar Events)

Permission	Purpose
Calendars.Read	Read calendar events (requires additional justification)

Optional Permissions (for Email Sending via Graph API)

Permission	Purpose
Mail.Send	Send email notifications and reports via Microsoft Graph API instead of SMTP

Note: This permission is only needed if you configure the Microsoft Graph API email transport in Settings > Email. It is not required for data collection.

3.3 How to Add Each Permission

For each permission:

1. Click + Add a permission
2. Select Microsoft Graph
3. Select Application permissions
4. Search for the permission name (e.g., Reports.Read.All)
5. Check the box next to it
6. Click Add permissions

3.4 Grant Admin Consent

After adding all required permissions:

1. Click the Grant admin consent for [Your Organization] button
2. Confirm by clicking Yes
3. Verify all permissions show a green checkmark under Status

The status should show Granted for [Your Organization] for each permission.

Step 4: Configure ActivityPulse

4.1 Enter Credentials in ActivityPulse

In the ActivityPulse web interface:

1. Navigate to Data Sources
2. Click Add Data Source or edit an existing MS365 source
3. Enter the values you collected:

Field	Value
Tenant ID	Directory (tenant) ID from Step 1.3
Client ID	Application (client) ID from Step 1.3
Client Secret	Secret Value from Step 2.3

4. Click Test Connection to verify the configuration
5. Click Save

4.2 Map Users

For each team member you want to track:

1. Navigate to Team > Members
2. Edit the team member
3. In the External IDs section, add their MS365 identifier
4. Enter their User Principal Name (UPN), typically their email address (e.g., john.doe@contoso.com)

Verification

Test the Connection

1. In ActivityPulse, go to Data Sources
2. Find your MS365 data source
3. Click Test Connection
4. A successful test confirms:

• Tenant ID is valid
• Client ID is correct
• Client Secret is correct
• Required permissions are granted

Verify Data Collection

1. Click Sync Now to trigger immediate data collection
2. Go to Activities to see fetched activity data
3. Note: Microsoft 365 reports are delayed 24-48 hours, so you may not see today’s data immediately

Troubleshooting

”Authentication failed” Error

• Verify Client Secret is copied correctly (no leading/trailing spaces)
• Ensure the secret hasn’t expired
• Confirm Tenant ID and Client ID are GUIDs, not names

”Access denied” Error

• Verify admin consent was granted for all permissions
• Check that permissions are Application type, not Delegated
• Ensure the consenting admin has Global Administrator or Application Administrator role

”Resource not found” Error

• Verify Tenant ID matches your organization
• Confirm your Microsoft 365 subscription includes the services being queried

No Data After Sync

• Reports are delayed 24-48 hours by Microsoft
• Verify team members have MS365 external IDs configured
• Check that users have been active in the services (Teams, Email, etc.)

Rate Limiting Errors

• Microsoft limits report API calls to ~14 requests per 10 minutes per tenant
• ActivityPulse handles this automatically with retry logic
• If persistent, reduce sync frequency

Security Best Practices

Principle of Least Privilege

• Only grant permissions that are actually needed
• Start with Reports.Read.All only
• Add AuditLog.Read.All if you need login events

Secret Management

• Store the client secret securely
• Set calendar reminders to rotate secrets before expiry
• Use a password manager or secrets vault for storage

Monitoring

• Review sign-in logs in Azure AD periodically
• Enable alerts for suspicious app activity
• Monitor the app’s activity in Microsoft Entra admin center

Secret Rotation

Before your client secret expires:

1. Create a new client secret (Step 2)
2. Update the secret in ActivityPulse
3. Verify the connection works
4. Delete the old secret from Azure AD

API Permissions Reference

Reports.Read.All

Grants access to:

• Teams user activity reports
• Email activity reports
• OneDrive activity reports
• SharePoint activity reports

Data returned is aggregated per user per day (not individual events).

AuditLog.Read.All

Grants access to:

• Sign-in logs (successful and failed logins)
• Login metadata (app, device, location, IP)

Directory.Read.All

Grants access to:

• User profile information
• Group membership
• Organizational structure

Calendars.Read

Grants access to:

• Calendar events for all users
• Meeting metadata (subject, attendees, times)

Note: This is a high-privilege permission. Microsoft recommends only requesting it when there is clear business justification.

Mail.Send

Grants access to:

• Sending emails on behalf of any user in the organization

This permission is only required if you use the Microsoft Graph API email transport (configured in Settings > Email). It allows ActivityPulse to send notifications and reports via the Graph API instead of SMTP.

Data Privacy Considerations

The MS365 plugin collects:

• Activity counts (emails sent, meetings attended, files edited)
• Login events (when and from where users sign in)
• Aggregated durations (call time, meeting time)

The plugin does NOT collect:

• Email content or subjects
• Document content or names (via Reports API)
• Chat message content
• Individual call recordings

All data is used solely for activity tracking within ActivityPulse and is subject to your organization’s data retention policies.

Additional Resources

• Microsoft Graph API Documentation
• Register an application with Azure AD
• Microsoft Graph permissions reference
• Reports API overview