Microsoft 365
This document provides some guidance on possible advanced configuration settings for Worklytics' Connectors for Microsoft Data Sources. At time of writing, there are 4 such data sources: Microsoft Entra ID (Users, Groups , etc), Outlook Calendar, Outlook Mail and Microsoft Teams. These concepts generally apply.
Background
Worklytics connectors for Microsoft data sources are implemented as Entra ID Applications and rely on OAuth 2.0 to obtain access to data held within Microsoft services. Microsoft mediates the grant between a resource owner (eg, the customer organization) and the client (Worklytics), and allows resource owners to manage these grants via Entra ID portal.
Only a Global Administrator of your Entra ID tenant may connect the Worklytics connectors. If you attempt to connect them using an account with insufficient privileges, you should receive guidance from Microsoft about how to contact the appropriate administrator
After your organization has granted permissions to Worklytics' connectors, you can find them listed inside the portal under "Enterprise applications":
Following Microsoft's concepts, Worklytics' connectors function primarily as Daemon Apps, but also functions as a Web app that signs in users to federate sign-on to with your Entra ID (avoiding need for you to explicitly manager user accounts/access in Worklytics, or for your Worklytics users to maintain specific Worklytics credentials.
Pseudonymization Proxy Service
By connecting Worklytics to Microsoft 365 data sources via a pseudonymization proxy service, you can control Worklytics' access to data API endpoint, parameter, and field level - beyond the granularity of Microsoft's Graph API OAuth scopes. See https://github.com/Worklytics/psoxy for details.
Advanced Deployment Scenarios
Restrict Worklytics Data Access to a Subset of Mailboxes
Login to Worklytics, find the Outlook Connector that you intend to connect and copy the Worklytics Entra ID "Application ID" (step 1 in the screenshot example).
Follow the Microsoft's instructions to scope permissions granted to Worklytics connectors to specific Exchange Online mailboxes . Use the App Id you noted in the previous step. Note that if you intend to connect both Outlook Calendar and Outlook Mail integrations, you'll complete these steps twice.
Most likely, you'll need only a single
RestrictAccesspolicy to explicitly limit the connector to a single group. The existence of any explicitRestrictAccessrule(s) will cause Exchange to DenyAccess to mailboxes which do not match those rules.For example, to restrict Worklytics Connectors to process mailboxes for users within a security control group
us@worklytics.co, the command would be:
After specifying rules/restrictions, have an Entra ID Global Administrator login to Worklytics and connect the desired connector (Outlook Mail or Outlook Events) from the Worklytics side.
After connecting from the Worklytics-side, you can review the "Enterprise Apps" screen within Entra ID to verify that the App IDs you've set restrictions for in step (2) matches the applications you connected in step (3).
NOTE: this only applies to Exchange Online "mailboxes", which means Outlook Mail and Outlook Events. Other data types that Worklytics ingests via connectors will not be impacted by these settings.
NOTE: We have several connectors for each Microsoft Graph data type; please verify the App ID needed for step (2) again in our UX should you reconnect a data type.
Restrict Login Access to a Subset of Microsoft Entra ID Users
See Microsoft's documentation: How to Restrict Your App to a Set of Users We've extracted the parts relevant to the Worklytics context as a multi-tenant enterprise application.
After you've connected the application in Worklytics UX (requires being an GlobalAdministrator for the organization):
Go to the Azure portal and sign in as an administrator with sufficient privileges to manage Entra ID Applications (Global Administrator , Application Administrator , or Cloud Application Administrator).
On the top bar, select the signed-in account.
Under Directory, select the Entra ID tenant where the app will be registered.
In the navigation on the left, select Entra ID. If Entra ID is not available in the navigation pane, follow these steps:
Select All services at the top of the main left-hand navigation menu.
Type in Entra ID in the filter search box, and then select the Azure Active Directory item from the result.
In the Entra ID pane, select Enterprise Applications from the Entra ID left-hand navigation menu.
Select All Applications to view a list of all your applications.
If you do not see the application you want show up here, use the various filters at the top of the All applications list to restrict the list or scroll down the list to locate your application.
Select the application you want to assign a user or security group to from the list.
On the application's Overview page, select Properties from the application’s left-hand navigation menu.
Locate the setting User assignment required? and set it to Yes. When this option is set to Yes, users must first be assigned to this application before they can access it.
Select Save to save this configuration change.
Once you've configured your app to enable user assignment, you can go ahead and assign users and groups to the app.
Select the Users and groups pane in the application’s left-hand navigation menu.
At the top of the Users and groups list, select the Add user button to open the Add Assignment pane.
Select the Users selector from the Add Assignment pane.
A list of users and security groups will be shown along with a textbox to search and locate a certain user or group . This screen allows you to select multiple users and groups in one go.
Once you are done selecting the users and groups, press the Select button on bottom to move to the next part.
Press the Assign button on the bottom to finish the assignments of users and groups to the app.
Confirm that the users and groups you added are showing up in the updated Users and groups list.
Go back to the "Overview" page.
Last updated
