App registrations are used to handle the authentication and authorisation requests between the different resources.
The following sections provide an overview of the app registrations used within the Filer solution. We recommend that a separate app registration is created for the development and production environments.
enc-prod-filer-admin
The following API permissions are required to be set on the admin app registration.
| API | Permissions | Type |
| Microsoft Graph | openid | Delegated |
| Microsoft Graph | profile | Delegated |
| Microsoft Graph | User.Read | Delegated |
In addition to the permissions stated above, an additional permission must be granted to our API which must be done after the installation of the Azure resources.
enc-prod-filer-api
The following API permissions are required to be set on the API app registration.
enc-prod-filer-external
The external API app registration is used by both the Filer function application. It contains a certificate, part of which is held within the app registration and the other part in the Filer Key Vault. Using the certificate's password and the part stored in Azure Key Vault, an access token is created for performing tasks.
The following API permissions are required to be set on the External API app registration.
enc-prod-filer-service
This app registration is used for the deployment pipeline to release Filer. It should contain a secret. This secret, along with its Client ID and the organisation Tenant ID, are used to create the service connection between Encodian DevOps and the customer's tenant, enabling the deployment of Filer. Ensure the service app registration has the appropriate permissions on the subscription for it to function correctly.
The following API permissions are required to be set on the External API app registration.
| API | Permissions | Type |
| Microsoft Graph | User.Read | Delegated |
Outlook add-in installation
The Outlook Add-in is deployed using the Encodian Filer CI pipeline.
To facilitate this deployment, Encodian will set up a Service Connection in Microsoft DevOps. This process will involve creating an app registration within the consuming Azure tenant to verify the connection between Encodian and the consuming tenant. The app registration will contain a secret, which along with the app registration's client ID and the organization Azure tenant ID, is used to configure the service connection. It's important to ensure that the service app registration has the appropriate permissions on the subscription for it to work correctly.
Once the service connection is set up and verified, we can proceed with the deployment of our software. The Outlook Add-in's source code components are hosted in the $web container of the storage account, which serves the client-side files.
The following API permissions are required to be set on the External API app registration.
| API | Permissions | Type | Purpose |
| Microsoft Graph | Mail.Read | Delegated | This permission allows your app to read the email messages in a user's mailbox. It can access all mail folders and the messages within them, but it cannot modify or delete emails. |
| Microsoft Graph | openid | Delegated | This permission allows the add-in to authenticate users and obtain their basic profile information. It’s part of the OpenID Connect protocol, which is used for user identity verification. |
| Microsoft Graph | profile | Delegated | This permission enables your app to access basic profile information of the user. |
| Microsoft.SharePoint | Sites.selected | Delegated | Sites.selected grants users access to retrieve documents for which they have permission. |