Skip to main content
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Microsoft Graph API Permissions and campusM Product Integrations

    campusM + cmLibrary Logo wh bkg sm1.png

    Registering a New Application

    A new application must first be registered in Microsoft Azure.

    To register a new application in Microsoft Azure:
    1. From the Microsoft Azure Manage Azure Active Directory section, select View.

      The Manage Azure Active Directory.

      Manage Azure Active Directory
    2. Add an App registration.

      The option to Add an App registration.

      Add an App registration
    3. From the Register an application screen:
      1. Add a Name.
      2. Select the Supported account types Accounts in this organizational directory only (<YOURUSER> - Single tenant).
      3. Select the Web redirect option and add a redirect URI.

        The Redirect URI must be the following: <App URL>/cmauth/oauth/callback.

      4. Select Register. Your application is created.

      The Register an application screen.

      Register an application

    Creating a Client Secret

    After creating an application, you must create a client secret.

    To create a client secret:

    1. Select Manage > Certificates & secrets.

      The option to create Certificates and secrets.

      Certificates & secrets
    2. Select New client secret.

      The option to add a New client secret.

      New client secret
      1. Enter a Description.
      2. Select an Expires after date.
      3. Select Add. Your application credentials are updated.

        The Add a client secret screen.

        Add a client secret
    3. Copy the Value and Secret ID for later use.

      The clients secrets list.

      Client Value and Secret ID


    Permissions must be granted for the Microsoft Graph API in the Microsoft Azure Portal to allow campusM to use the API. Different permissions are required for different campusM product integrations.

    To grant API permissions:
    1. Select Manage > API permissions.

      Select Add a permission.

      The option to add API permissions.

      API permissions
    2. Select Microsoft APIs > Microsoft Graph.

      The option to select Microsoft Graph.

      Microsoft Graph
      1. Select the permission type.

        Ensure that you are using the correct permission type when you are adding the permission. There are two permission types:

        • Application permissions – allow an application to act as its own entity, rather than on behalf of a specific user.
        • Delegated permissions – allow an application to perform actions on behalf of a particular user.
      2. Select the relevant permissions.
      3. Select Add permissions.

        The Request API permissions screen.

        Request API permissions

    The permissions are saved.

    Updated API permissions.

    API permissions

    Granting Consent

    When using Delegated permissions, a user must grant consent to allow the application to access their personal resources. However, it can also be granted by an admin, who can consent to the application accessing the resources for any user who uses the application. When using Application permissions, consent must be granted by an admin.

    Overview of Product Integrations and Required Permissions

    Directory Search

    • Directory Search product integration
      • The permissions must be added as Application permission
      • microsoft.graph is the specific API call that is used
        • The Permissions section on the List users page states that “one of the following permissions is required to call this API.” We are using the Application permissions type. The permission options from least to most privileged are:
          • User.Read.All
          • User.ReadWrite.All
          • Directory.Read.All
          • Directory.ReadWrite.All
            • Any of the above permissions grant required access
            • We recommend using the least privileged (User.Read.All). Adding just this permission grants the product integration the access it needs.



    • Roles product integration:
      • The permission must be added as Application permissions
      • List memberOf is the specific API call that is being used
      • The following Application permissions are required:
        • Directory.Read.All
        • Group.Read.All
        • User.Read.All
      • Descriptions for adding these permissions:
        • User.Read.All and Group.Read.All – if you are managing the roles in groups.
        • Directory.Read.All – if you are managing the roles in Directory Roles.
    • Was this article helpful?