List of published manuals

List of manuals for contractors

IIJ ID Service Manual [For Administrators]

Reregistering Graph API

This section describes how to reregister Microsoft Graph API.

You are to reregister Graph API when the expiration date of Graph API is approaching or confidential information (Azure AD Client Secret) of Graph API has leaked.

[ Note ]

Perform reregistration of Graph API before Graph API expires.

If Graph API has expired, provisioning with Microsoft 365 (Azure AD) will fail and data inconsistency will occur between the IIJ ID Service and Microsoft 365.
Moreover, a job of an error saying "There is a problem with the settings of the Graph API" will occur. Refer to "Troubleshooting Failed Jobs" for more information.

[ Reference ]

  • The expiration date of Graph API can be checked in "Application Management" on IIJ ID Console. As shown in the images in steps 2 and 4 below, it is displayed in "Graph API status" or "Azure AD Client Secret expiration date" of the relevant application.

  • As the expiration date of Graph API approaches, an email that informs you of the fact that the expiration date is approaching is sent to "Mail destination from the system."

  1. Click "Application" and then "Application Management."
  2. Click "Microsoft 365" and then "Edit."
  3. Click "Graph API."

  4. Click "Edit."

  5. Click "Download PowerShell Script."
  6. Run PowerShell on a Windows computer.

  7. Use the following command to run the PowerShell script as illustrated in the example.

    [ Reference ]

    Write down the Graph API information displayed after execution of the PoswerShell script because the information will be used in the next step.

    Example command line display)

    powershell -ExecutionPolicy bypass -File '.\setup_graph_api.ps1
    [ Reference ]

    The following window may be displayed at the time of execution.
    If this window is displayed, click "Accept" without checking the "Consent on behalf of your organization" box.

  8. Enter the Graph API information obtained in step 7 in IIJ ID Console and click "Configure."

    OptionDescriptionComments
    Azure AD Tenant IDAzure AD tenant ID you use
    Azure AD Client IDAzure AD client ID used for Graph API
    Azure AD Client SecretAzure AD client secret used for Graph APIThis information is sensitive. Exercise care in the handling of this information.
    [ Note ]

    If you reregister Graph API during provisioning processing, the provisioning may end up in failure (A job indicating that the provisioning has failed will be generated). For this reason, we recommend executing "Reregistration of Graph API" and then "Reissue" when no provisioning job is generated.

    When the reregistration has been completed, confirm that the provisioning task will succeed.
    Refer to "Verifying Provisioning Jobs of Microsoft 365 Applications" for how to check it.

    [ Reference ]

    Because provisioning is performed periodically, it may take some time before it is executed.