{"id":16310,"date":"2023-11-13T08:53:21","date_gmt":"2023-11-13T16:53:21","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/?p=16310"},"modified":"2023-11-22T00:09:51","modified_gmt":"2023-11-22T08:09:51","slug":"use-microsoft-graph-connectors-to-securely-bring-external-content-into-microsoft-365","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/use-microsoft-graph-connectors-to-securely-bring-external-content-into-microsoft-365\/","title":{"rendered":"Use Microsoft Graph connectors to securely bring external content into Microsoft 365"},"content":{"rendered":"

Over the past few weeks, we\u2019ve been exploring Microsoft Graph connectors and seen how to work smarter and more efficiently by accessing your external data sources within Microsoft 365 alongside your internal content. In this post, we will show you to securely import external content to Microsoft 365 with Microsoft Graph connectors, and how this can benefit you and your organization.<\/span><\/p>\n

Why you should consider importing external content to Microsoft 365<\/h2>\n

By using Microsoft Graph connectors, you can import content from various external sources into Microsoft 365. This not only allows you and your colleagues to easily find relevant information in your organization from one place but also to discover new content and easily share it with your colleagues. What\u2019s more, when you start using Microsoft 365 Copilot, importing external content to Microsoft 365 will allow Copilot to reason over more of your organization\u2019s information, giving you more relevant responses.<\/p>\n

Importing external content with correct permissions<\/h2>\n

Information that you store outside of Microsoft 365 is either accessible by everyone in your organization or only <\/a>by a select group of people. The permissions for accessing external content are stored in the external system.<\/p>\n

When importing content using Microsoft Graph connectors, you retrieve content and<\/strong> its permissions from your external system. Using this information, for each piece of content that you import, you build an access control list (ACL)<\/strong> and include it with the item when it\u2019s imported to Microsoft 365.<\/p>\n

\"Chart<\/p>\n

This lets you ensure that only individuals specified in the external system can access the imported content. When importing external content using Microsoft Graph connectors, you have several options to ensure that it’s accessible by the same group of people who can access it in the external system.<\/p>\n

Anatomy of an access control list<\/h2>\n

An access control list is an array of access control entries. Each entry consists of three elements:<\/p>\n

    \n
  1. Access type<\/strong>, which specifies if the entry is for granting or denying access to the piece of content<\/li>\n
  2. Type<\/strong>, which specifies the type of entity described by the entry. It can be a Microsoft Entra user, Entra group, everyone in your tenant, everyone except guest users, or an external group (i.e., group that\u2019s defined in your external system)<\/li>\n
  3. Value<\/strong>, which identifies the entity described by the entry<\/li>\n<\/ol>\n

    \"Example<\/p>\n

    PRO TIP:<\/strong> Each imported item must include at least one access control entry. You can also include multiple entries to make the item accessible by multiple groups of people.<\/p>\n

    Let\u2019s have a look at some common scenarios of how you\u2019d ensure correct access to your imported content.<\/p>\n

    Importing content available to everyone in the organization<\/h2>\n

    One of the most common scenarios is importing external content that\u2019s available to everyone in the organization. If you\u2019re importing such content, you can use the following access control entry on all content items:<\/p>\n

    Access type:<\/span><\/span> grant<\/span><\/span>\u00a0<\/span>
    <\/span>Type:<\/span><\/span> Everyone<\/span><\/span>\u00a0<\/span>
    <\/span>Value:<\/span><\/span> Everyone<\/span><\/span> <\/span> <\/span><\/p>\n

    Importing content available only to specific group of people from an external system with single sign-on with Microsoft 365<\/h2>\n

    If your external system has single sign-on with Microsoft 365, your external content is secured with users and groups from Microsoft Entra ID (previously Azure Active Directory). In such cases, you can define access control entries, of type User<\/strong> (if you\u2019re referring to single Entra users) or Group<\/strong> (when you\u2019re referring to Entra groups). You\u2019ll configure the value to refer to the Microsoft Entra user or group, for example:<\/p>\n

    Access type:<\/span><\/span> grant<\/span><\/span>
    <\/span>Type:<\/span><\/span> group<\/span><\/span>
    <\/span>Value:<\/span><\/span> Management<\/span><\/span><\/p>\n

    Importing content available only to specific group of people from an external system without single sign-on with Microsoft 365<\/h2>\n

    If you\u2019re importing content from a system that doesn\u2019t have single sign-on with Microsoft 365, you can still ensure that the imported content is properly secured and only available to the correct individuals. In such case, you\u2019ll define external groups which you\u2019ll use to secure the imported content. These groups reflect memberships defined in the external system but refer to Microsoft Entra users and groups or other external groups.<\/p>\n

    For more information about working with external groups, review the documentation<\/a>.<\/p>\n

    Keep your external permissions and access control lists synchronized<\/h2>\n

    The external system from which you import content to Microsoft 365 contains the primary reference of permissions and who has access to what content. When building Microsoft Graph connectors, you must synchronize these permissions to your content imported to Microsoft 365 to ensure its security.<\/p>\n

    If your external system raises an event when permissions change, you can immediately update them on the external content imported to Microsoft 365. If the external system doesn\u2019t support events, then you\u2019ll build a frequently running process that scans for changed permissions and updates them accordingly. You should include the ability to refresh permissions on demand, which will allow you to instantaneously refresh permissions if such a need arises.<\/p>\n

    Conclusion<\/h2>\n

    Microsoft Graph connectors are a powerful and versatile way to centralize content in your organization on Microsoft 365 so that you can easily find and share information with your colleagues. When importing content, you must ensure that it\u2019s secured as defined in the external system. Microsoft Graph connectors offer you several flexible ways to define permissions on imported content to ensure that it\u2019s only accessible by privileged individuals. Once content is imported, it\u2019s protected by the same security and compliance policies that apply to Microsoft 365 data.<\/p>\n

    To learn more about configuring permissions on content imported using Microsoft Graph connectors, see the documentation<\/a>.<\/p>\n

    Try Graph connector samples<\/a> built by Microsoft and the Microsoft 365 community, to see what\u2019s possible.<\/p>\n

    More resources:<\/h2>\n