AvePoint Learn
Request article
Contact support
Request article
Contact support
English

Home > App Management > Manage App Profiles for Microsoft Tenants > Re-authorize App Profiles for Microsoft Tenants

Export to PDF

Re-authorize App Profiles for Microsoft Tenants

Re-authorize app profiles for Microsoft tenants in the following scenarios:

  • The app profiles which are in the Invalid status must be re-authorized.

  • If you want to change the account used to consent to an app, you can re-authorize the related app profile.

  • If an app has been updated to add new API permissions required by new features, the related app profile must be re-authorized.

  • If your tenant has an app with delegated permissions, note the following:

    • According to Microsoft’s non-interactive user sign-ins, the sign-in logs show the original IP used for the original token issuance, as the IP address of non-interactive sign-ins performed by confidential clients (AvePoint Online Services) doesn’t match the actual original IP of the event when a Microsoft user signed in and consented to an app. If you create an app with delegated permissions, you must add the original IP address to your Microsoft tenant’s conditional access policies (if any). Otherwise, the apps with delegated permissions will be Invalid. After you add the original IP address to your conditional access policies, you can manually re-authorize the app profile to update its status or wait for AvePoint Online Services to automatically update its status.

    • For an app with delegated permissions, the related app profile needs to be re-authorized when its consent user’s Microsoft 365 account is in any of the following scenarios:

      • If multi-factor authentication (MFA) is enabled on the consent user's Microsoft 365 account after the user has given consent to the custom app profile, the app profile needs to be re-authorized.

      • If the consent user’s Microsoft 365 account is unavailable (e.g. the password was changed or the user left the company), the app profile will be Invalid and need to be re-authorized.

      NOTE

      To help you easily find the apps with delegated permissions, the related AvePoint default apps are marked with the icons as below:

      • Apps that utilize both application and delegated API permissions are marked with the hybrid icon.

        This app utilizes both application and delegated API permissions.

      • Apps that have delegated API permissions only are marked with the purebred icon.

        This app has delegated API permissions only.

  • For a Custom Azure app / Custom Azure app with delegated permissions, you also need to re-authorize the app profile if:

    • You want to change the custom Azure app that connects AvePoint Online Services to your tenant.

    • The certificate file of the custom Azure app has been changed.

  • For a Delegated app used by the Cloud Backup for Microsoft 365 service, you also need to re-authorize the app profile if you want to change the functions which will use the app. When you re-authorize the Delegated app, ensure that your organization’s subscription for the Cloud Backup for Microsoft 365 service has included the modules you want to protect. Then, you can select desired functions from the following that are supported by the Delegated app:

    • Restore Teams channel conversations as posts

    • Protect Power BI

    • Protect Power Automate / Power Apps

    • Restore Planner task comments

    NOTE

    If your tenant is using a scan profile configured in the AOS classic UI for protecting Planner data via Cloud Backup for Microsoft 365, you can follow the steps below to update the method of Planner data protection.

    1. In AOS, refer to the instructions below to prepare an app profile based on your scenario:

      • If you want to use a classic mode app, create/re-authorize an app profile of the Microsoft 365 (All permissions) app type, and ensure that the Microsoft Graph permission Tasks.ReadWrite.All has been added to the app.

      • If you want to use a modern mode app, create an app profile of the Cloud Backup for Microsoft 365 (All permissions) app type.

      • If you want to use a custom mode app, create an app profile of the Custom Azure app type and ensure that the Microsoft Graph permission Tasks.ReadWrite.All has been added to the custom app.

      1. Edit the scan profile and save it.

        NOTE

        For a scan profile configured in the AOS classic UI for protecting Planner data, the authentication method in the scan profile is a service account profile or app profile with an additional delegated app profile. In the AOS new UI, once this kind of scan profile has been edited, the authentication method will be updated to the app profile. Thus, you can edit and save a scan profile even without any changes.

      2. Go to Cloud Backup for Microsoft 365 to check the backup setting and ensure that the option for Planner data backup has been enabled.

  • The following apps support user consent, and you can re-authorize these apps with a non-Administrator account in your Microsoft tenant. When you re-authorize one of the following apps, you can choose a consent method between Administrator Consent and User Consent.

    NOTE

    When you re-authorize the other apps that are not in the table below, refer to Administrator Consent.

ServiceApp type (in AOS)
InsightsInsights for Microsoft 365
InsightsInsights for Power Platform
EnPowerEnPower for Microsoft 365
EnPowerEnPower for Power Platform
EnPowerEnPower for Teams Calling
FlyFly for Power Platform
FlyFly Delegated App
Cloud Backup for IaaS + PaaSCloud Backup for Azure
Cloud Backup for IaaS + PaaSDelegated App
Cloud Backup for IaaS + PaaSCloud Backup for Azure DevOps
Cloud GovernanceCloud Governance for Power Platform
Cloud GovernanceCloud Governance Delegated App
MyHubMyHub
Policies for Microsoft 365Policies for Microsoft 365
tyGraphtyGraph Suite
tyGraphtyGraph for Viva Engage
Cloud Backup for Microsoft 365Delegated App
Cloud Backup for Microsoft 365Cloud Backup Express
Cloud GovernanceCloud Backup for Microsoft 365Viva Engage
Document Management System OnlineDocument Management System Online (DMS Online)
AvePoint Portal ManagerAvePoint Portal Manager
AvePoint Portal ManagerAvePoint Portal Manager for Room - Terminal Interface View
EnPower / Cloud Governance / Cloud Backup for Microsoft 365 / Cloud Backup for IaaS + PaaS / Insights / Fly / MyHub / tyGraph / AvePoint Portal ManagerCustom app with delegated permissions

Refer to the sections below to re-authorize an app with an appropriate consent method.

NOTE

You do not need any permissions or Microsoft licenses other than those listed in this guide.

Administrator Consent

Refer to the following instructions to re-authorize an app profile with a Microsoft 365 Global Administrator or a Privileged Role Administrator account.

  1. Select an app profile and click Re-authorize.

  2. Note the following when you re-authorize different app profiles:

    • When you re-authorize an AvePoint default service app for Viva Engage, you can also consent to the app with an Engage Administrator (Yammer Administrator in Microsoft Entra ID) account.

    • When you re-authorize an app profile for the Fly service and consenting to the app with a Privileged Role Administrator account, the account may need additional permissions.

    • When you re-authorize an app profile for the AvePoint Portal Manager service, the consent user must be a Microsoft 365 Global Administrator or have the Privileged Role Administrator and Teams Service admin role.

    • When you re-authorize an app profile for the Cloud Backup for Microsoft 365 service, note the following:

      • When consenting to the Cloud Backup for Microsoft 365 delegated app, you also need to choose the functions that will use this app. The user who consents to the app must have the Microsoft 365 Global Administrator role. For details, refer to the Required Permissions of Microsoft Delegated App section in the Cloud Backup for Microsoft 365 user guide.

      • When consenting to a Viva Engage app profile used by Cloud Backup for Microsoft 365, the consent user must have the Verified Admin role and the Yammer Administrator role with the Viva Engage product license.

      • When consenting to the Cloud Backup Express app profile , the consent user must have the Microsoft 365 Backup Administrator role.

    • When consenting to an app profile for the Cloud Governance delegated app, the user must have the Microsoft 365 Global Administrator or Exchange Administrator role.

    • When you re-authorize an app profile for a Custom Azure app / Custom Azure app with delegated permissions app, refer to the following instructions:

      1. Application ID – Enter the application ID of the custom app. To keep using the current app, you can get its application ID in the app profile detail page. If you want to change to another app, enter the application ID of the app that your organization has created. For additional details on creating an app, refer to Create a Custom Azure App.

      2. Certificate file (.pfx) – Click Browse and select your app’s private certificate (the .pfx file).

        NOTE

        Ensure this .pfx file is paired with the .cer/.crt file which is uploaded for this custom app in Microsoft Entra ID. If your organization does not have any certificates, you can create self-signed certificates by referring to Prepare a Certificate for the Custom Azure App.

      3. Certificate password – Enter the password of the certificate.

      4. Click Finish.

User Consent

The following apps support user consent, and you can re-authorize these apps with a non-Administrator account in your Microsoft tenant.

NOTE

When you re-authorize the other apps that are not in the table below, refer to Administrator Consent.

ServiceApp type (in AOS)App name (in Microsoft Entra ID)
InsightsInsights for Microsoft 365AvePoint Insights for Microsoft365
InsightsInsights for Power PlatformAvePoint Insights for Power Platform
EnPowerEnPower for Microsoft 365AvePoint EnPower for Microsoft365
EnPowerEnPower for Power PlatformAvePoint EnPower PowerPlatform Management
EnPowerEnPower for Teams CallingAvePoint EnPower Teams Calling
FlyFly for Power PlatformAvePoint Fly for Power Platform
FlyFly Delegated AppAvePoint Fly Delegated App
Cloud Backup for IaaS + PaaSCloud Backup for AzureAvePoint Cloud Backup for Azure
Cloud Backup for IaaS + PaaSDelegated AppAvePoint Online Services – Delegated App
Cloud Backup for IaaS + PaaSCloud Backup for Azure DevOpsAvePoint Cloud Backup for Azure DevOps
Cloud GovernanceCloud Governance for Power PlatformAvePoint Cloud Governance for Power Platform
Cloud GovernanceCloud Governance Delegated AppAvePoint Cloud Governance Delegated App
MyHubMyHubAvePoint MyHub
Policies for Microsoft 365Policies for Microsoft 365AvePoint Policies for Microsoft365
tyGraphtyGraph SuiteAvePoint tyGraph
tyGraphtyGraph for Viva EngageAvePoint tyGraph for Viva Engage
Cloud Backup for Microsoft 365Delegated AppAvePoint Online Services – Delegated App
Cloud Backup for Microsoft 365Cloud Backup ExpressAvePoint Cloud Backup Express
Cloud GovernanceCloud Backup for Microsoft 365Viva EngageAvePoint Online Services Administration for Viva Engage
Document Management System OnlineDocument Management System Online (DMS Online)AvePoint Document Management System Online
AvePoint Portal ManagerAvePoint Portal ManagerAvePoint Portal Manager
AvePoint Portal ManagerAvePoint Portal Manager for Room - Terminal Interface ViewAvePoint Portal Manager for Room - Terminal Interface View
EnPowerCloud GovernanceCloud Backup for Microsoft 365Cloud Backup for IaaS + PaaSInsights FlyMyHubtyGraphAvePoint Portal ManagerCustom app with delegated permissions (API Permissions Required by Custom Apps)[custom app name]You can also get its application ID in the app profile detail page.

Before you choose the User consent method, complete the following preparations:

  1. Ensure that your organization has granted admin consent to the app in Microsoft Entra ID. You can refer to the steps below to grant admin consent to an app:

    1. Log in to Microsoft Entra admin center (or Microsoft Azure portal).

    2. Follow the instructions below to grant admin consent to an AvePoint app or a custom app:

      • To grant admin consent to an AvePoint app, navigate to Microsoft Entra ID > Enterprise applications, click the app, click Permissions in the Security menu, and then click Grant admin consent for [Tenant name].

        Granting admin consent to an app in Enterprise applications.

      • To grant admin consent to a custom app, navigate to Microsoft Entra ID > App registrations, click the app, click API permissions in the Manage menu, and then click Grant admin consent for [Tenant name].

        Granting admin consent to an app in App registrations.

  2. Refer to the following information to prepare required users who consent to the apps:

    • To scan and manage Power Platform objects, the user who provides consent must have the following required license/role:

      • The Power Platform Administrator role must be assigned to the user who provides consent for the app profiles for scanning Environments, Connections, Power Apps, Solutions, Power Automate, or Copilot Studio objects.

      • The Power BI license and Fabric Administrator role must be assigned to the user who provides consent for the app profiles for scanning Power BI objects.

    • To re-authorize an AvePoint default service app for Viva Engage, the user who provides consent must have an Engage Administrator (Yammer Administrator in Microsoft Entra ID) role.

    • To re-authorize the Cloud Backup Express app, the user who provides consent to the app must have the Microsoft 365 Backup Administrator role.

    • To re-authorize a custom app for AvePoint Portal Manager, the user who provides consent to the app must have the Teams Service admins role or a higher privileged role.

    • To re-authorize the Cloud Governance delegated app, the user who provides consent to the app must be a group owner.

      NOTE

      lf your organization intends to modify these two settings, Outside Senders and Subscribe Members, they must ensure that the consent user is added into the group owners of all groups for which these two settings are to be modified.

To re-authorize an app profile with the User consent method, refer to the steps below:

  1. Select an app profile and click Re-authorize.

  2. Note the following when you re-authorize different app profiles:

    • When you re-authorize an app profile for a delegated app used by the Cloud Backup for Microsoft 365 service, you also need to choose the functions which will use this app.

    • When you re-authorize an app profile for a Custom Azure app with delegated permissions app, refer to the following instructions:

      1. Application ID – Enter the application ID of the custom app. To keep using the current app, you can get its application ID in the app profile detail page. If you want to change to another app, enter the application ID of the app that your organization has created. For additional details on creating an app, refer to Create a Custom Azure App.

      2. Certificate file (.pfx) – Click Browse and select your app’s private certificate (the .pfx file).

        NOTE

        Ensure this .pfx file is paired with the .cer/.crt file which is uploaded for this custom app in Microsoft Entra ID. If your organization does not have any certificates, you can create self-signed certificates by referring to Prepare a Certificate for the Custom Azure App.

      3. Certificate password – Enter the password of the certificate.

  3. Select the User consent option.

  4. Click Continue to consent.