Register access to Microsoft 365

The first step in preparing for Microsoft 365 collection is to register Epiq Discovery access to Microsoft 365. To perform this procedure, you must be an Azure Administrator who can grant Admin consent for application permissions. Note that you need to add the Applications Permission> Application.Read.All only when collecting modern attachments.

During these steps, it is important that you make a note of the Application (client) ID, Directory (tenant) ID, and the Client Secret (token). While you can view the Application ID and Directory ID in Manage Microsoft Entra ID>App registrations, there is no way to recover the Client Secret.

For detailed information, refer to the Microsoft documentation, "Quickstart: Register an application with the Microsoft identity platform" in quickstart-register-app.

Perform the following actions to register Epiq Discovery.

  1. Go to portal.azure.com.

  2. In Manage Microsoft Entra ID, click View.

  3. In Azure Active Directory, in the navigation menu, select Manage>App registrations.

  4. In App registrations, click New registration.

  5. In Register an application, do the following steps:

    1. In Name, enter a name.

    2. In Supported account types, select Accounts in this organizational directory only.

    3. Click Register.

    4. Make a note of the Application (client) ID and Directory (tenant) ID.

  6. To add permissions to the web API, perform the following steps. You must be an administrator with permission to grant Admin consent for application permissions to perform these steps.

    1. In App registrations, in the navigation menu, click Manage>API permissions.

    2. In API permissions, click Add a permission.

    3. In the Request API permissions pane, perform the following steps:

      1. Click Microsoft Graph.

      2. Click Application permissions.

      3. Under Select permissions, select the following options:

        • For permission to collect Outlook calendar data, select Calendars>Calendars.Read.

        • For permission to collect OneDrive data, select Files>Files.Read.All.

        • For permission to collect Outlook mailbox data, select Mail>Mail.Read.

        • For permission to the user accounts, select User>User.Read.All.

        • To get the expiration date of the client secret (token) for storing the Microsoft 365 credentials, select Applications Permission>Application.Read.All.

      4. Click Add permissions.

    4. In API permissions, after verifying the added permissions, click Grant Permission.

    5. After verifying the granted permissions, click Accept.

  7. To create a client secret (token), perform the following actions.

    1. In the navigation menu, click Manage> Certificates & secrets.

    2. In Certificates & secrets, click New client secret.

    3. In the Add a client secret pane, perform the following steps.

      1. In Description, enter a description.

      2. In Expires, select an expiration time. When you select Custom, select the Start and End dates.

      3. Click Add. Make sure that you note the Secret ID. Microsoft shows this secret ID only once, and there is no way to recover the secret ID.

  8. Optional. You can also limit Epiq Discovery registration access to specific accounts. For more information refer to Microsoft documentation on "Limiting application permissions to specific Exchange Online mailboxes" (auth-limit-mailbox-access).