Introduction

Using Microsoft Entra ID (formerly know as Azure Active Directory) groups can simplify how permissions are granted to a SharePoint site and also be used to by Read and Understood as a ‘To’ recipient. All members of the group will be sent an Acknowledge Reading Request. By default, however, the Read and Understood App does not have access to read Azure group membership so permissions must be granted.

Manager Direct Reports Summary Email

A feature of Read and Understood is the ability to, at the end of an acknowledgement cycle, send an email to line managers of those that particpated in the acknowledgement request. This works by using the Manager feature of Entra ID, which is also accessible via the Microsoft 365 admin center. Read and Understood, when generating the Manager Direct Reports will retrieve from Entra ID the Manager property and for every employee requested to acknowledge that document, the Manager is sent an Excel Report of all their direct reports and how they responded to the acknowledgement request. By completing the instructions below, ensuring the manager property is set and enabling the feature in the Document Selectors will generate and email the reports.

Granting the Read and Understood App Read Access to Entra ID Groups

It is important to note that some of the images provided in this document are subject to change by Microsoft as the UI undergoes regular improvements, however the functionality for this process remains.

Sending Emails using Office 365 Mailbox enabled account

Customer using a paid plan for Read and Understood will use an Office 365 mailbox to send email notifications to employees. The instructions provided below will take you through the steps of ensuring the App has permissions to send emails through an account in your company. The account you create in 365 for sending the Read and Understood emails must have and Exchange online mailbox.

  1. Login to your Azure Portal as a global administrator

  2. Select Microsoft Entra ID

  3. Click, from the menu, 'App registrations'

  4. Click 'New registration' and follow the steps below:

    1. Provide a User Friendly name for the App Registration e.g. Read and Understood

    2. Set the Application type as Web

    3. Set a value for the Redirect URI, it does not have to have a real endpoint, we suggest but replace YourTenantDomain with the Actual Tenant domain name https://readandinderstood.YOURTENANTDOMAIN.com

  5. Click Create

    Result: This page will appear with the App Details:

  6. Imporant: Copy and store the Application (client) Id. (You will need the value for all Read and Understood Apps in your SharePoint tenant)

  7. Next Create a Client Secret by following the steps below:

    1. From the Menu click Certificates & Secrets

    2. Click 'New secret'

    3. Enter the Description for the New Client Secret e.g. Read and Understood

    4. Set the secret to never expire

      IMPORTANT: Microsoft have started removing the ‘Never’ expiring secrets option in tenants and we have noticed the maximum limit is now 2 years. For this reason we strongly recommend you record the date of expiry and set a reminder to update it. Microsoft do not provide a mechanism currently, where we can check if a Secret is about to expire, we only know when it has expired.

    5. Click Add

  8. Click from the Menu API permissions

    1. Click Add a Permission

    2. Then select 'Microsoft APIs' followed by Microsoft Graph

    3. Click Application Permissions

    4. Find 'Group.Read.All' and check the option

    5. Next, find 'User.Read.All' and check the option

    6. Next, find 'Directory.Read.All' and check the option

    7. Next, find 'OrgContact.Read.All' and check the option.

    8. IMPORTANT, to support our Office Mail Plans find 'Mail.Send' and check the option.

    9. Having made the changes click 'Add Permissions'

    10. Now grant those permissions added to the App


      Note: the image above will request consent to the Host Name of your Tenant.

    11. Confirm Consent by clicking Yes

      Result: The permissions will appear with green tickes as show below:

  9. Go to Site Content and click the Read and Understood App

  10. Click Site Administration from the menu

  11. Scroll down the page and locate 'Azure Active Directory Integration with App Registration'. Paste the Application Client ID saved earlier in the process

  12. Paste the Client Secret ID into the Client Secret field

  13. The button 'Enable integration with Azure Active Directory for this tenant' will enable once the values are entered. Press the button.

    A validation is performed by the App to verify the access is correctly granted, any issues will be displaed to the user.

Manager Summary

In the Microsoft 365 Admin Center, check users have the manager property set:

Manager Property in Microsoft 365 Admin Center

manager property in the Microsoft 365 Admin Center

Azure Active Directory, check users have manager property set:

Manager property in Azure Active Directory

Set the Manager Property in Azure Active Directory

To enable a Manager Summary Report having enabled the Azure Active Directory permissions for the Read and Understood App:

  1. Open the Read and Understood App withing the site.

  2. Click Manage Document Selectors in the Navigation

  3. Select the Site you wish to update.

  4. Select the Library you wish to update.

  5. If you wish to enable the option for ALL Libraries enabled for Read and Understood in the Site you can update the Site Document Selector alternatively just edit the Document Selector you wish to apply the change.

  6. Set ‘Send Manager a Direct Reports summary’ to Yes

  7. Save and Close

Enable Manager Summary Report

Enable Manager Summary Report