immy.botAzureAD/365 Graph Permissions
Your first ImmyBot tenant will be automatically linked to the Azure tenant that you signed up for ImmyBot with. You can link other ImmyBot tenants to Azure from the tenant Azure tab.
Linking to an Azure Tenant
After creating an ImmyBot tenant, link it to an Azure tenant by navigating to the Azure tab in ImmyBot and entering the Azure tenant's principal id or domain and clicking Save.
Azure Permission Level
Once your ImmyBot tenant has been linked to Azure, you can set the Azure Permission Level from the tenant Azure tab. This allows ImmyBot to:
- Sync all users from the Azure tenant
- Sync all users from your customer's tenants (if your Azure tenant is a Partner tenant)
- Install the 365 applications a user is licensed for (Apps for business/Apps for entrprise/Project/Visio)
- Deploy software to Teams, On-Premises Security Groups (Ex. Everyone in the Engineering Team gets AutoCAD 2022)
The Azure Permission Level has two options: Default and Custom
Default
In this mode, you don't need to create an app registration. You consent as an administrator, allowing ImmyBot access users in your tenant.
Custom
In this mode, you create an app registration and provide its credentials to ImmyBot.
Create an App Registration
Navigate to: https://aad.portal.azure.com/
Important! Your app registration must have a Web redirect uri of https://<your-domain>.immy.bot/consent-callback, replacing <your-domain> appropriately
Grant Permissions
See the screenshots below for the minimum permissions.
Create Client Secret
Assign GDAP Permissions to ImmyBot Service Principal
- Create a Security Group in Azure AD called "ImmyBot Security Group"
- Add the ImmyBot Service Principal to that group
- For each customer in the Partner Center, add the "ImmyBot Security Group" and add the "Directory Readers" and "Global Reader" role.