This document describes the steps to create a custom eShare application in Microsoft Entra (Azure AD) portal. At a high level, the steps involved are:
REQUIREMENT:
The Person performing these steps must have an administrator role assignment of Application Administator, Cloud Application Administator, or Global Administator in the destination M365 tenant.
Application Registration
To register the custom app registration for eShare Migration Service, login to Microsoft Entra console (https://entra.microsoft.com or https://entra.microsoft.us) and navigate to ‘Applications‘ > ‘App Registrations‘.
In ‘App Registrations‘ page, click the ‘+ New registration‘ button in top menu bar.
Input a recognizable unique name for the custom eShare app and select the ‘Register‘ button at bottom of the page.
In a few moments, a shell application is created and ready for further configuration.
Modify Application Manifest - Commercial Cloud
requiredResourceAccess
In the newly registered application page, navigate to the ‘Manage‘ > ‘Manifest‘ tab.
In the applications’ manifest, look for ‘requiredResourceAccess‘.
Replace the above string (including the comma at the end) from line 51 to 61 with the below text.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
"type": "Role"
},
{
"id": "75359482-378d-4052-8f01-80520e7db3cd",
"type": "Role"
},
{
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"type": "Role"
},
{
"id": "a82116e5-55eb-4c41-a434-62fe8a61c773",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
},
{
"id": "741f803b-c850-494e-b5df-cde7c675a1ca",
"type": "Role"
}
]
}
],Click the ‘Save‘ button in top menu bar.
Modify Application Manifest - Government Cloud
requiredResourceAccess
In the same application manifest, look for line 42 to 52 and replace it with the below text:
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
},
{
"id": "741f803b-c850-494e-b5df-cde7c675a1ca",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
"type": "Role"
},
{
"id": "75359482-378d-4052-8f01-80520e7db3cd",
"type": "Role"
},
{
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"type": "Role"
},
{
"id": "a82116e5-55eb-4c41-a434-62fe8a61c773",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
}
],Click the ‘Save‘ button in top menu bar.
Review API permissions and complete consent
REQUIREMENT:
Granting admin consent for permissions within an app registration must be performed by a Global Administator in the destination M365 tenant.
**Please consult your eShare Customer Success Manager before removing any API Permissions**
For the saved application, navigate to the ‘Manage‘ > ‘API permissions‘ tab.
Select ‘Grant admin consent for <tenant name>‘ in top of the API permissions table.
Confirm when prompted.
Upload Application Certificate
Option 1: Purchase a certificate from well-known certificate authority, extract the private and public portions of the certificate. Upload the public portion in Azure portal for the application and upload the private key in your eShare admin console (or provide the private key to your eShare admin).
Option 2: Create a self-signed certificate by following instructions available at https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate.
A short summary of the above instructions are below:
# Create a self-signed certificate in PowerShell
$mycert = "eShareApp"
$mycert = New-SelfSignedCertificate -DnsName "eShareApp" -Subject "CN=eShareApp" -CertStoreLocation "Cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(50) -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256# Extract .key file using OpenSSL
openssl pkcs12 -in eShareApp.pfx -nocerts -nodes -out eShareApp.key# Extract crt from pfx using OpenSSL
openssl pkcs12 -in eShareApp.pfx -clcerts -nokeys -out eShareApp.crt# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath eShareApp.pfx -Password $(ConvertTo-SecureString -String "myp@55W0rd" -AsPlainText -Force)When appropriate certificate portions are available, navigate to ‘Manage‘ > ‘Certificates & secrets’
In ‘Certificates’ tab, click on ‘Upload certificate’ button. Upload the CRT file from the above steps and click on ‘Add’ at bottom of the open pane.
Collect Items Required for eShare Migration Service
M365 Tenant ID: Navigate to ‘Identity > Overview’ tab of the Entra admin console, copy the ‘Tenant ID’ and save it.
Application ID: Navigate to ‘Overview’ tab of the application, copy the ‘Application (client) ID’ and save it.
Certificate Thumbprint: For the certificate used during application registration process, copy the certificate thumbprint and save it.
Public Certificate: The public certificate (.cer, .crt, .pem from above steps) that was uploaded in the Entra portal for the application registration.
Private Key: The private key (.key file from above steps) for the certificate uploaded in Entra portal for the application registration.