OneConnect supports multiple authentication options to connect to Microsoft Planner.

Please review the options available and choose the best option for your company, before beginning the integration setup.

Please ensure the person enabling the integration permissions has the necessary administrative rights to do so. 

There must be an Entra Application available in order to connect to Microsoft Planner. You can create your own or use the default one.

Using OnePlan Logged in User's Account +  Default OnePlan App

When the Microsoft Planner integration is used from the OnePlan application, it is possible to use the logged in user's Entra ID account. 

The default App ID: 1d5c336b-c056-4d77-87c2-cdd4428b1a68

Pros of using this option:

• Quick to set up.
• Additional service account is not required. 

Cons of using this option:

• OnePlan Forms user accounts are not supported.
• Users must have permission to manage Office 365 groups (create and add users).

To use this option, a Microsoft tenant administrator must click the Authorize button within the Planner connector. This will prompt a login screen where the tenant administrator will need to enter their credentials. 

That will add an Entra Application named OneConnect for M365 Planner to your tenant. The OneConnect for M365 Planner application will have the following delegated permissions:

• Microsoft Graph: User.Read.All
• Microsoft Graph: Group.ReadWrite.All
• Microsoft Graph: Tasks.ReadWrite

Service Account + Default OnePlan Application

You can use an Entra ID account to connect to Planner. In this scenario, all communication with Planner is done via a central account. We call this user account a "Service Account".  The username and password for the service account must have access to Planner. 

The user account cannot not have Multi-Factor Authentication (MFA) enabled.

The default App ID: 1d5c336b-c056-4d77-87c2-cdd4428b1a68

Pros of using this option:

• Individual users do not need Office 365 group management rights.

Cons using this option:

• The account cannot have Multi-Factor Authentication (MFA).
• A username and password must be configured in OneConnect. 
• More involved process to set up (requires a Microsoft tenant administrator to approve permissions).

To create the default OnePlan application, a Microsoft tenant administrator must click the Authorize button within the Planner connector. This will prompt a login screen where the tenant administrator will need to enter their credentials.

That will add an Entra Application named OneConnect for M365 Planner to your tenant. The OneConnect for M365 Planner application will have the following delegated permissions:

• Microsoft Graph: User.Read.All
• Microsoft Graph: Group.ReadWrite.All
• Microsoft Graph: Tasks.ReadWrite

Service Account + Custom Entra Application

You can also create your own Entra Application to connect to Planner. In this scenario, all communication with Planner is done via a central account. We call this user account a "Service Account".

To authenticate to Planner, provide the username and password for an account that has access to Planner, check the Use integration credentials to connect to Planner checkbox, along with the Custom App credentials within the Client Id and Client Secret fields. 

The user account cannot not have Multi-Factor Authentication (MFA) enabled. 

It is recommended to use a dedicated user account for this connection. Best practice dictates one user account per integration to avoid data throttling and potential strategy failures by Microsoft. 

Pros of using this option:

• Customer is in control of the Entra Application that is used to access Planner.
• Individual users do not need Office 365 group management rights.

Cons using this option:

• Customer responsible for maintaining the client secret for the Entra Application. (update it when expires)
• The account cannot have Multi-Factor Authentication (MFA).
• A username and password must be configured in OneConnect. 
• More involved process to set up (requires a manual creation of an app)

Creating your own Entra Application

Register the Application

1. While logged in as a tenant or application administrator for your tenant, log in to portal.azure.com.
2. Navigate to Microsoft Entra Admin Center.
3. Within the left navigation bar, click on App registrations.
4. On the top left of the page, create a New registration.
   • Name: Give the App Registration a unique title.
   • Supported Account Types: Single Tenant.
   • Redirect URI (Optional):
     • Dropdown should be set to “Web”.
     • URL: https://my.oneconnect.ai or https://eu.oneconnect.ai depending on which OneConnect site you are using.
5. Click Register. The App Registration page will load. Within the Essentials section, the Application (Client) ID can be found.

Configure API Permissions

1. On the Overview page of the App Registration, navigate to Manage > API Permissions.
2. Confirm that Microsoft Graph: User.Read is already listed. 
3. Add additional permissions:
   • Click +Add a Permission.
   • Select Microsoft Graph, then Delegated Permissions.
   • Add User.ReadBasic.All and Group.ReadWrite.All, and click Add Permission.
4. Click Grant Admin Consent for your tenant. Confirm by selecting Yes. 

Generate a Client Secret

1. Go to Manage > Certificates and Secrets.
2. Click + New Client Secret.
3. Provide:
   • A description.
   • An Expiration period (up to 24 months).
4. Click Add. 
5. Save the Client Secret Value displayed under the Value column. You'll need this later.

Note: Please note that this value will only appear once, it is encouraged to save this value in a secure location should you need it a second time. Otherwise, best practice is to create a whole new client secret each time one is needed.