Create a Graph OAuth Connection to Riva Cloud

  • Updated

Contents:

Multi-Factor Authentication (MFA)

If your company requires Multi-Factor Authentication for the Riva connection account to Office 365, then you will be required to validate the account via the MFA mechanism (phone token or email address) when creating the connection.

Alternatively, you could submit a request to your Exchange/Azure administrator to exclude your service account from requiring MFA.

Create the Graph OAuth Connection on Riva Cloud

To create the Graph OAuth connection:

  1. Log in to https://www.rivacloud.com. (Detailed instructions to log in or sign in)

  2. On the Get Started page, select Configure your email.

    (Another way of accessing the page to configure the email would be to click on the dropdown beside the Synchronization category in the side navigation menu and then select Connections)

  3. Select the Office 365 Graph Connection logo.

  4. On the Connection page that appears, input the administrator email and select Connect.

    Cloud Graph Connection.png

  5. In one or more Microsoft windows that appear, enter the information required to access the desired Office 365 account. You will be required to log in with an Admin account to approve the application and permissions. Note, that Riva does not store any admin passwords. 

    Note: The required information may include Multi-Factor Authentication (MFA).

  6. If you see these Permissions requested page, select Accept.

    MicrosoftTeams-image (3).png

  7. If the connection setup is successful, select OK.

    Result: The Office 365 Graph OAuth connection is added to your Riva Cloud account.

How to limit specific Mailbox and User access when using "Application Permissions"

When using "Application Scoped" permissions, there is a common concern that the application itself will have access to all mailboxes.

There are controls specific to Exchange Online resources that do not apply to other Microsoft Graph workloads.

For the specific Exchange Online scopes (including MailboxSettings.*, Mail.*, Calendar.*, Contact.*, and, Task.*), it is possible to limit the "Application Scoped" permission to specific Users and Mailbox by using the "Exchange Application Access Policy."

Details on how to use the "Exchange Online Application Access Policy", https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access 

Refer to this Riva article for more specific details, https://support.rivasync.com/hc/en-us/articles/23568389010452-Microsoft-Graph-Limiting-Azure-Application-Scope-Permissions-to-Specific-Exchange-Online-Mailboxes 

List of Microsoft Exchange Online Application Scopes requested

Below is a list of default Riva Cloud requested application scopes and a description of their purposes.

Note: For Riva Cloud customers looking to adjust and limit scope access, please contact the Riva technical support team for guidance.

Permission  Permission Type Description 
User.Read.All Application  To lookup "email addresses" to Microsoft mailbox.
User.Read Delegated Sign in and read the user profile. Part of the Azure App registration process.
Calendar.ReadWrite  Application  Used to synchronize calendar items; Depending on requirements, can be limited to Calendar.Read
Mail.ReadWrite Application Used to synchronize email items; Depending on requirements, can be limited to Mail.Read
Mail.Send Application Send mail as the user.
MailboxSettings.ReadWrite  Application Read and write mailbox settings including Categories, Time Zone, and Work Hours.
Contacts.ReadWrite Application  Used to synchronize contact items; Depending on requirements, can be limited to Contacts.Read
GroupMember.Read.All Application Expanding distribution lists to receive their members and for "User Gathering" process which read group memberships.
 
 
 

Was this article helpful?

/