Version 4.3x

For the OfficeExpert appliance, you require an Azure application. We recommend you register it automatically as described in the Setup Guide. Alternatively, you can perform a manual Azure AD application registration as follows:

  • Open aad.portal.azure.com and click on App registrations.




  • Click on New registration, complete the fields as shown in the second screenshot below, and click on Create:

    Redirect URI has to be a Single Page application with the following value:  https://<< your OE fqdn>>/auth   (eg. https://oe.acme.com/auth)





  • Go to Certificates & secrets and click on New client secret.





 Define when the client secret will expire. 

The following value is only visible immediately after creation. Please SAVE THIS VALUE, as it will be hidden later on: 



  • After you have configured the application, you need to define three roles.
    To add a new role, under App roles on the left, click on Create app role:




The following window is displayed:


Here, you can enter the three required roles:

1) ROLE_ADMIN:

Display name: Administrator
Allowed member types: "Users/Groups"
Value: ROLE_ADMIN
Description: Administrator for the appliance. Allows the user to change configuration (e.g. add new partitions).

2) ROLE_VIEWER
Display name: Viewer
Allowed number types: "Users/Groups"
Value: ROLE_VIEWER
Description: Read-only access to OfficeExpert.

3) ROLE_SEGMENT
Display name: Partition
Allowed member types: "Users/Groups"
Value: ROLE_SEGMENT
Description: Users that have assigned partitions. Assigned automatically on login.

You can customize the Description field to your liking. However, you must enter the values in the Value field as seen above (i.e. ROLE_ADMIN, ROLE_VIEWER, ROLE_SEGMENT). Otherwise, OfficeExpert will NOT work!


  • Go to API Permissions and click on Add a permission (if you want to add the permissions in a bulk, go directly to Step 7 )


Set the following Application permissions as shown on the following screenshot:
You have to add them one by one (e.g Microsoft Graph → Directory.Read.All,....)

Note: There are 2 delegated permissions in the list which are necessary for the OfficeExpert Teams Client App.



  • Alternatively, you can copy/paste the permissions via the Manifest (exchange the section:  requiredResourceAccess) instead of adding them manually.

        	"requiredResourceAccess": [
    		{
    			"resourceAppId": "00000003-0000-0000-c000-000000000000",
    			"resourceAccess": [
    				{
    					"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
    					"type": "Scope"
    				},
    				{
    					"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
    					"type": "Scope"
    				},
    				{
    					"id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
    					"type": "Role"
    				},
    				{
    					"id": "5b567255-7703-4780-807c-7be8301ae99b",
    					"type": "Role"
    				},
    				{
    					"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
    					"type": "Role"
    				},
    				{
    					"id": "79c261e0-fe76-4144-aad5-bdc68fbe4037",
    					"type": "Role"
    				}
    			]
    		}
    	],
  • Click on Grant consent.


    • The final picture should look like this:


  • Write down the Application ID.




  • For Teams Analytics customers: follow the following steps to activate SSO between the App and the appliance.

Teams App SSO - OfficeExpert ACE


Don't forget to to add at least an Administrator and assign the Admin Role in this new Azure AD application → User Role Mapping


Make sure to write down your Tenant ID and Tenant name (for example company.onmicrosoft.com). You will need it to set up the Analytics feature of OfficeExpert (see Setup Guide) and to configure the OfficeExpert App for Microsoft Teams integration.