Grant permissions to the GT365 app

2024-08-07 | Toni Pohl

Our Governance Toolkit 365 (GT365) provides information and automation solutions for a Microsoft 365 tenant. In order to use the functions, this app must be approved by an administrator. In addition, new solutions are constantly being added. Some of these also require new permissions. You can find out how you as an administrator can grant and renew these permissions here.

GT365 requires an app “Governance Toolkit 365” that reads the data from the M365 tenant and collects it for further actions. An administrator must approve this app so that the functions can be used. There are the following functions that administrators can perform:

  1. Add app permissions
  2. Create a service account for the Power Platform (if not already existing)
  3. Grant permissions for the Power Platform

Please perform the following steps as the global administrator of your M365 tenant. Please use a browser in In-Private mode and ensure that the “Stay signed in?” prompt is answered with “No”.

Update (Aug. 12th): To ensure that all data from the Power Platform can be processed in GT365, we have changed the setup process. Please create a separate service account for the Power Platform as described below in step 2 and step 3.

Step 1 - Add app permissions (Do this for new features too)

These steps must be performed as a Global Administrator. You can use Privileged Identity Management (PIM). Perform these steps after registration.

Note: Since we are constantly adding new solutions, it may be necessary to repeat this process after some time to use new features or if existing features do not work properly.

Here's how it works:

  1. Open a browser in In-Private mode.
    image
  2. Open the URL https://bit.ly/gt365extapp. (If the short URL does not work in your environment, use the long URL here.)
  3. Sign-In with your Global Administrator account: Enter Username and password, and confirm the MFA request.
  4. Confirm the app permissions request with Accept.
    image
    GT365 follows the principle of least privilege. Almost all permissions are read-only unless the permission is actually required for a service to function correctly. However, due to the large number of functions, the list of required permissions is relatively long. The trust principle applies. This confirmation only needs to be done once.
  5. The website informs about the success. Continue with step 2.
    image

This will set all current permissions in the M365 tenant and allow the GT365 app to read the data. Renew this confirmation using the URL above when new features are added to the GT365 app. You can grant these permissions again at any time.

Step 2 - Create a service account for the Power Platform

GT365 reads information from various Microsoft application interfaces. For getting access to the Power Platform, an administrator needs create a service account (step 2) and to confirm the two links (step 3).

Note: If you already have create the Power Platform Service Account, you can skip this step and continue with step 3.
If you use CoE in your Power Platform environment, and you have a service account for CoE with the Power Platform Administrator role, you can also use this account and skip this step.

Here's how you can create the service account in the Azure portal.

  1. Use the browser you used to log in as a global administrator in step 1 (or sign-in again in a In-Private browser with a Global Admin).
  2. Open the Azure portal and navigate to Microsoft Entra ID / Manage / Users: Users - Microsoft Azure
  3. Click on New user and Create new user.
    image
  4. Enter a name for the service account. Give the service account a name. Here we use service.gt365 and any domain. You can use any username and password. Then, click on Review + create.
    image
  5. Confirm the user creation with the Create button.
  6. When the user list is shown, search for the new user service.gt365 an open the user account.
    image
  7. In the user account Manage menu, click on Assigned roles.
    image
  8. We need to add the Power Platform role to this account. Click on Add assignments.
    image
  9. In the Select role dropdown, select the "Power Platform Administrator” role as here. Click on Next.
    image
  10. Change the Assignment type to Active and enter a justification for this role, such as “GT365 Power Platform Service Account”. Then, click on Assign.
    image
    Note: Unfortunately, the Power BI services requires the service account to have a permanent role. It does not work (currently) if the service is used without an active role.
  11. Azure confirms the role assignment with a notification message. In the Assigned roles list, click on Refresh to see the Active assignments, as here.
    image
    This means that this account has a permanent, active role assignment for getting data from the Power Platform.
  12. Close the browser.
  13. Sign-in with the new service account in a new In-Private browser session. Open any M365 URL or https://portal.office.com.
  14. Ensure that you have a valid password and MFA set for the new service account (to use it as described in step 3). Follow the sign-in process for the new account.
    image
  15. When the “Stay signed in?” prompt follows, ensure to click on “No”!
  16. The service account creation has been done. Make a note of the access data for the service account. Continue with step 3 and item 2.

Step 3 - Grant permissions for the Power Platform

Once we have the service account with the permanent Power Platform Administrator role, we just need to get permissions for this service account. Follow these steps with the service.gt365 account.

Note: You can also follow these steps if you notice that data is missing in the Power Platform or Power BI area in GT365 to renew these permissions. 

  1. Open a browser in In-Private mode.
    image
  2. Open the URL https://bit.ly/gt365app1. (If the short URL does not work in your environment, use the long URL here.)
  3. Sign-In with your service.gt365 account: Enter Username and password, and confirm the MFA request.
  4. When the “Stay signed in?” prompt follows, ensure to click on “No”!
    image
    This is important because GT365 requires to get two permissions, one for the Power Platform, and one for Power BI. If you click "No", the token information will be sent for the second confirmation link below and GT365 can use it. If you click "Yes", only "kmsi" (keep me signed in) would be provided in the token property "signin_state". This means that GT365 cannot use this information because it runs unattended and not in your browser. Therefore, please make sure to select "No" here. You can find more information about that prompt at Manage the 'Stay signed in?' prompt.
  5. This is followed by a confirmation page. This enables access to the Microsoft Power Platform.
    image
  6. Now open the URL https://bit.ly/gt365app2 to grant access to the Microsoft Power BI services. (If the short URL does not work in your environment, use the long URL here.)
  7. After the second address has been opened, the confirmation page appears again. This completes the process and the browser can be closed.
    image

This will set the Power Platform permissions in the M365 tenant and allow the app with the service account to perform all functions. Renew this confirmation using the steps above if the data from your M365 tenant is missing. You can grant these permissions again at any time.

Problems with missing data?

The data is usually updated daily. You will see the results the following day.

If the confirmation steps above cannot be completed successfully, please repeat the entire process.

Once all permissions have been set, GT365 can fully function and use all Microsoft application interfaces. You will see the data in your central GT365 storage account and in the Power BI reports. If you have any questions, please contact us.

We believe that using GT365 will help you with your administrative work in your Microsoft 365 tenant!
If you don't know GT365 yet, visit the product website and open a trial!

Categories: Azure, English, GT365, Compliance, Entra, Microsoft365, Office365, Tools, Security, atwork

Source: https://blog.atwork.at/post/Grant-permissions-to-the-GT365-app