This guide walks you through creating an App Registration in Entra ID (formerly Azure Active Directory) for Chipmunk, and assigning the necessary Microsoft Graph and Exchange permissions.
Chipmunk uses Microsoft Graph and Exchange APIs to back up OneDrive, Exchange, and Teams data for disabled users. You'll need to register an app in your Azure tenant and grant it the correct permissions.
Before you register the app, decide what DNS name your Chipmunk appliance will use (e.g., chipmunk.yourcompany.local). This will be used in the redirect URI.
Also ensure you have:
1. Go to Azure Portal 2. Search for App registrations and click + New registration 3. Enter:
ChipmunkApp4. Click Register
Note: During initial setup, Chipmunk may temporarily use port 3000 for configuration access. You should include both redirect URIs above during deployment. Once Chipmunk is fully configured and using port 443, you may safely remove the port 3000 URI from the App Registration for security tightening.
After registration, copy these values from the Overview page:
You'll use these during Chipmunk's first-time configuration.
1. Go to Certificates & secrets
2. Click + New client secret
3. Name it something like ChipmunkSecret
4. Set expiry to 12 or 24 months
5. Click Add
→ Important: Copy the Value immediately — you won't be able to see it again.
Navigate to API permissions > + Add a permission > Microsoft Graph > Application permissions
Add the following:
| Type | Permission Name | Description |
|---|---|---|
| Application | `User.Read.All` | Read all users' full profiles |
| Application | `Group.Read.All` | Read all groups |
| Application | `Files.Read.All` | Read all files in site collections |
| Application | `Files.ReadWrite.All` | Read and write files in site collections |
| Application | `Mail.Read` | Read mail in all mailboxes |
| Application | `Mail.Send` | Send mail as any user |
| Application | `ChannelMessage.Read.All` | Read all Teams channel messages |
| Application | `Chat.Read.All` | Read all Teams chat messages |
| Application | `Chat.ReadBasic.All` | Read names and members of chat threads |
| Application | `Sites.Read.All` | Read SharePoint site items |
| Application | `Sites.ReadWrite.All` | Read/write SharePoint site items |
| Application | `Team.ReadBasic.All` | List all Microsoft Teams |
| Application | `TeamMember.Read.All` | Read members of all Teams |
| Application | `TeamSettings.Read.All` | Read all Teams’ settings |
| Application | `TeamSettings.ReadWrite.All` | Read/change Teams’ settings |
| Application | `Contacts.Read` | Read contacts in all mailboxes |
| Application | `Calendars.Read` | Read calendars in all mailboxes |
| Application | `AuditLog.Read.All` | Read audit logs |
| Application | `Directory.Read.All` | Read directory data |
Then click:
Click Grant admin consent for [Your Tenant Name] and confirm. All permissions should show as “Granted”.
Under Authentication, verify:
Chipmunk uses an Entra ID (Azure AD) group to determine who has access to the dashboard.
1. In the Azure Portal, go to Microsoft Entra ID > Groups 2. Click + New Group 3. Choose:
chipmunkadmins4. Add any users who should be able to access the Chipmunk dashboard
You will enter this exact group name during the appliance setup wizard.
→ Only members of this group will be granted admin access.
When the Chipmunk appliance launches, you’ll enter:
Need help with DNS or TLS? → View DNS & Certificate Setup
chipmunk azure appregistration graphapi permissions setup