Set up the Viva Engage connector
This section covers setup requirements, permissions, and configuration for the Viva Engage connector.
Before you start
Have these in place before you configure the connector:
- Native Mode — your Viva Engage instance must be running in Native Mode. On-premises variants are not supported.
- A Verified Administrator account — you need a Viva Engage Verified Administrator account, with permission to register applications in Microsoft Entra ID.
- An Azure AD app registration — you'll register an app and obtain its client secret, application (client) ID, and directory (tenant) ID during setup.
- Delegated permissions — the connector uses OAuth 2.0 delegated authentication. See Required permissions for the exact scopes to grant.
Required permissions
The connector app must be granted the following delegated permissions in Azure AD, with admin consent.
The baseline permissions are always included. Select any extras below and the permission set updates instantly. Then copy it to hand to your IT or security team, so every scope is requested in one pass.
User.ReadSigns in the administrator and reads their basic profile.offline_accessIssues a refresh token so Glean maintains access without repeated sign-in.openidEnables OpenID Connect sign-in.emailReads the administrator's email address claim.profileReads basic profile claims, such as name.
access_as_userCalls the Viva Engage Data Export API on behalf of the signed-in Verified Administrator to read community messages.user_impersonationGrants delegated access to the Viva Engage API as the authorizing administrator.
Known limitations
- Real-time updates. The connector relies on scheduled crawls and does not support webhooks or near-real-time activity tracking.
- Deployment. The connector is designed for cloud-hosted Viva Engage instances in Native Mode and does not support on-premises variants.
Setup steps
Register a new application in Azure AD
-
Sign in to your Azure portal as an administrator.
-
Select Microsoft Entra ID, and navigate to Manage → App registrations → New registration.
-
On the Register an application page, enter the following details:
- Name:
Glean Viva Engage Application - Supported account types:
Accounts in this organizational directory only (Single tenant) - Redirect URI: Select Web and enter the URL:
https://tenant_id-be.glean.com/instance/yammer/oauth/verify_code
Copy your full backend URL from app.glean.com/admin/about-glean under Server instance (QE), and replace
https://tenant_id-be.glean.comwith it. - Name:
-
Click Register.
Configure API permissions
- On the left navigation on the Overview page, click Manage → API Permissions.
- Click Add a permission and select Microsoft Graph.
- Choose Delegated permissions and add the following permissions:
User.Readoffline_accessemailopenidprofile
- Click Add a permission again and select Yammer.
- Choose Delegated permissions and add
access_as_useranduser_impersonation. - Click Grant admin consent to finalize the permissions.
Generate a client secret and copy credentials
-
Navigate to Microsoft Entra ID → Manage → App registrations and click the application you created.
-
Select Manage → Certificates & secrets.
-
Under Client secrets, click New client secret. Enter a descriptive name and select an expiry time (24 months recommended), then click Add.
-
Copy the
Valueof the new secret. This is your client secret and will not be displayed again.noteSave the secret Value, not the Secret ID.
-
Navigate back to the Overview page and copy the Application (client) ID and Directory (tenant) ID from the Essentials panel.
Connect in Glean
- In the Glean Admin console, navigate to Connectors → Add connector, then select Yammer.
- Enter a Name for your connector.
- Enter the following values:
- Client secret
- Application (client) ID
- Directory (tenant) ID
- Click Authorize and follow the generated link to sign in with your Verified Administrator account.
Upon successful authorization, Glean begins the initial crawl.
Permissions and security
- Permission propagation. The connector honors Viva Engage's permission model — community membership determines access, and users only see messages from communities they belong to.
- Privileges. The connector uses OAuth 2.0 delegated authentication and requests only the scopes it needs.
- Data privacy. Glean extracts data within your cloud environment, and all indexed data respects source-system permissions.