1. Home
  2. Register an Azure application for Token Based Authentication

Register an Azure application for Token Based Authentication

Microsoft has deprecated basic authentication access to Exchange Online APIs. To increase security, Microsoft has switched to Modern Authentication, which is based on OAuth 2.0. Users with existing Microsoft Online tenants can continue using basic authentication until Microsoft ends support in the second half of 2021; However, new tenants are required to use token-based authentication.

Token-Based Authentication also changes the attributes that are controlled in Practice Protect and Office 365. Below are the main changes to take into account, as certain attributes will no longer be controlled or synced from Practice Protect:

Controlled in Practice Protect: (Will Overwrite)

  • Display Name
  • Location
  • Immutable ID
  • Primary Email/Username/UPN (it will be the primary)

Controlled in Office 365: (Will Not Overwrite)

  • Email Alias’s (Proxy Addresses)
  • Office 365 Licensing. 
  • HideFromAddressList
  • Manager
  • Addresses
  • Other Contact Fields

Steps: Disable AzureAD DirSync

As Token-Based Authentication uses the Microsoft Graph API instead of the AzureAD DirSync module, you require to disabled DirSync (If enabled)

1. Using Powershell tool, connect to Azure Msol Service with this command 
Connect-MsolService” then,

2. Run Set-MsolDirSyncEnabled -EnableDirSync $false

3. This will start the disable process. This can take up to 72 hours. Logins will be fine during this time, you just cannot create or modify users during this period. 

4. Run the following command to check the status. (Get-MSOLCompanyInformation).DirectorySynchronizationStatus

You must wait until “PendingDisable” changes to “Disabled” this can take 24-72 hours.

5. Once Disabled you can run a FullSync – This will not enable DirSync and will use Microsoft Graph API to update users in Office 365.

Steps: Register an Azure application

1. Log in to Azure Active Directory using an Admin Account.

2. On the left navigation menu, go to Applications > App registrations, then click New registration.

3. Enter a name for your app. “Practice Protect”

4. Select Accounts in this organizational directory only (your_domain only – Single Tenant).

5. Click Register.

The overview page for your registered app appears.

6. The client secret value will be unavailable once you logout, so it’s critical to capture the value now.

7. Go to API permissions, then click Add a permission.

8. Click Microsoft Graph.

9. Click Application permissions.

Scroll down the permissions list and select the following permissions, then click Add permissions.

Delegated Application
Directory.AccessAsUser.All Application.ReadWrite.All
Directory.ReadWrite.All Application.ReadWrite.OwnedBy
Group.ReadWrite.All Directory.ReadWrite.All
Organization.ReadWrite.All Domain.ReadWrite.All
User.ManageIdentities.All Group.Create
User.Read Group.ReadWrite.All
User.Read.All Organization.ReadWrite.All
User.ReadWrite User.ManageIdentities.All
User.ReadWrite.All User.ReadWrite.All

Azure updates the permissions for your app; However, you still need to provide and grant admin consent manually.

10. Click Grant admin consent for <your company>.

11. Click Yes on the confirmation prompt.

Since you are already logged in as an administrator, a notification Successfully granted admin consent for the requested permissions. appears at the top of the page.

12. Returning on the left navigation menu, proceed to Roles & Admins > Roles & admins Now go to Roles and administrators.

13. Search for the role Global Administrator and Click on it.

14. Click on Add assignments.


15. Search for the App name from Step 3. Highlight it and Add. This will assign the App with the Global Admin role.
Note: This type is a ServicePrincipal not a user. 

16. Go back to the Overview setting of the app. Copy the Application (client) ID, Directory ID (tenant), and the Object ID. Store those details as they will be use for Federation or for the next steps.

17. Open PowerShell again and run the the following commands to connect to AzureAD and to create a secret key with a custom set of date variables. 


$StartDate = Get-Date

$EndDate = $startDate.AddYears(100)

Then run the following command below to generate a secret key. Change the ObjectID based on what you copied on Step 16.

New-AzureADApplicationPasswordCredential -ObjectId 359489f0-ee65-448d-8fd2-4f02a969583b -StartDate $startDate -EndDate $endDate

Make sure to Copy the Value Output to your clipboard/notepad.

18. You should now have the details for Secret Key, Application (client) ID, and Directory (tenant) ID. 


Update Authentication Method (Token Based Auth)

Practice Protect Office365 Federation uses token based authentication nowadays. However, if your firm was setup with Basic Authentication, continue and follow the steps below: 

1. Login to Practice Protect Admin, Web Apps  > Office365 Federation app. On the Authentication Method, Select Token Based Authentication

2. Copy and paste value/output that was created from the steps above to these fields (Directory ID, Client ID, Client Secret

3. Go to Provisioning

20. Scroll down to Provisioning Script:

Update the Script to include the following:

if (isPerson()) {


destination.UsageLocation = “AU”;

destination.Mail = source.CanonicalizeName;


Save the Script.

21. Go to SettingsUsersOutbound Provisioning and Start Sync.

Updated on January 9, 2023
Need Support?
Can't find the answer you're looking for?
Contact Support