Edit

Salesforce Microsoft Graph connector

  • Article

The Salesforce Microsoft Graph connector, allows your organization to index Contacts, Opportunities, Leads, Cases, and Accounts objects in your Salesforce instance. After you configure the connector and index content from Salesforce, end users can search for those items from any Microsoft Search client.

Note

Read the Set up Microsoft Graph connectors in the Microsoft 365 admin center article to understand the general Microsoft Graph connectors setup instructions.

This article is for anyone who configures, runs, and monitors a Salesforce connector. It supplements the general setup process, and shows instructions that apply only for the Salesforce connector. This article also includes information about Limitations.

Important

The Salesforce connector currently supports Summer '19 or later.

Before you get started

To connect to your Salesforce instance, you need your Salesforce instance URL, the Client ID, and Client Secret for OAuth authentication. The following steps explain how you or your Salesforce administrator can get this information from your Salesforce account:

  • Log in to your Salesforce instance and go to Setup

  • Navigate to Apps -> App Manager.

  • Select New connected app.

  • Complete the API section as follows:

    • Select the checkbox for Enable Oauth Settings.

    • Specify the Callback URL as: For M365 Enterprise: https://gcs.office.com/v1.0/admin/oauth/callback, for M365 Government: https://gcsgcc.office.com/v1.0/admin/oauth/callback

    • Select these required OAuth scopes.

      • Access and manage your data (api)

      • Perform requests on your behalf at any time (refresh_token, offline_access)

    • Select the checkbox for Require secret for web server flow.

    • Save the app.

      API section in Salesforce instance after admin has entered all required configurations listed above.

  • Copy the consumer key and the consumer secret. This information will be used as the Client ID and the Client Secret when you configure the Connection Settings for your Graph Connector in the Microsoft 365 admin portal.

    Results returned by API section in Salesforce instance after admin has submitted all required configurations. Consumer Key is at top of left column and Consumer Secret is at top of right column.

  • Before closing your Salesforce instance, follow these steps to ensure that refresh tokens don't expire:

    • Go to Apps -> App Manager
    • Find the app you created and select the drop-down on the right. Select Manage
    • Select edit policies
    • For refresh token policy, select Refresh token is valid until revoked

    Select the Refresh Token Policy named "Refresh token is valid until revoked ".

You can now use the Microsoft 365 Admin Center to complete the rest of the setup process for your Graph connector.

Step 1: Add a connector in the Microsoft 365 admin center

Add Salesforce connector

Follow the general setup instructions.

Step 2: Name the connection

Follow the general setup instructions.

Step 3: Configure the connection settings

For the Instance URL, use https://[domain].my.salesforce.com where domain would be the Salesforce domain for your organization.

Enter the Client ID and Client Secret you obtained from your Salesforce instance and select Sign in.

The first time you've attempted to sign in with these settings, you'll get a pop-up asking you to log in to Salesforce with your admin username and password. The screenshot below shows the popup. Enter your credentials and select "Log In".

Login pop up asking for Username and password.

Note

If the pop up does not appear, it might be getting blocked in your browser, so you must allow pop-ups and redirects.

Check that the connection was successful by searching for a green banner that says "Connection successful" as show in the screenshot below.

Screenshot of successful login. The green banner that says "Connection successful" is located under the field for your Salesforce Instance URL

Step 4: Select properties

Select the Salesforce objects that you want the connector to crawl and include in search results. If Contact is selected, Account will be automatically selected as well.

Note

If a field has field level security (FLS) set for a profile, the connector won't ingest that field for any profiles in that Salesforce org. As a result, users won't be able to search on values for those fields, nor will it show up in the results.

Step 5: Manage search permissions

You'll need to choose which users will see search results from this data source. If you allow only certain Microsoft Entra ID or Non-Azure AD users to see the search results, make sure you map the identities.

Step 5.a: Select permissions

You can choose to ingest Access Control Lists (ACLs) from your Salesforce instance, or allow everyone in your organization to see search results from this data source. ACLs can include Microsoft Entra identities (users who are federated from Microsoft Entra ID to Salesforce), non-Azure AD identities (native Salesforce users who have corresponding identities in Microsoft Entra ID), or both.

Note

If you use a third-party Identity Provider like Ping ID or secureAuth, you should select "non-AAD" as the identity type.

Select permissions screen that has been completed by an admin. The admin has selected the "Only people with access to this data source" option and has also selected "AAD" from a drop down menu of identity types.

If you chose to ingest an ACL from your Salesforce instance and selected "non-AAD" for the identity type, see Map your non-Azure AD Identities for instructions on mapping the identities.

Step 5.b: Map Microsoft Entra identities

If you chose to ingest an ACL from your Salesforce instance and selected "AAD" for the identity type, see Map your Microsoft Entra identities for instructions on mapping the identities. To learn how to set up Microsoft Entra SSO for Salesforce, see this tutorial.

Apply user mapping to sync your Salesforce identities to Microsoft Entra identities

In this video you can see the process to authenticate to your Salesforce instance, sync your non-Microsoft Entra identities to your Microsoft Entra identities, and apply the proper security trimmings to your Salesforce items.

Step 6: Assign property labels

You can assign a source property to each label by choosing from a menu of options. While this step is not mandatory, having some property labels will improve the search relevance and ensure better search results for end users. By default, some of the Labels like "Title," "URL," "CreatedBy," and "LastModifiedBy" have already been assigned source properties.

Step 7: Manage schema

You can select what source properties should be indexed so that they show up in search results. The connection wizard by default selects a search schema based on a set of source properties. You can modify it by selecting the check boxes for each property and attribute in the search schema page. Search schema attributes include Search, Query, Retrieve, and Refine. Refine allows you to define the properties that can be later used as custom refiners or filters in the search experience.

Select the schema for each source property. The options are Query, Search, Retrieve, and Refine.

Step 8: Set the refresh schedule

The Salesforce connector only supports refresh schedules for full crawls currently.

Important

A full crawl finds deleted objects and users that were previously synced to the Microsoft Search index.

The recommended schedule is one week for a full crawl.

Step 9: Review connection

Follow the general setup instructions.

Tip

Default Result type

  • The Salesforce connector automatically registers a result type once the connector is published. The result type uses a dynamically generated result layout based on the fields selected in step 3.
  • You can manage the result type by navigating to Result types in the Microsoft 365 admin center. The default result type will be named as "ConnectionIdDefault". For example, if your connection id is Salesforce, your result layout will be named: "SalesforceDefault"
  • Also, you can choose to create your own result type if needed.

Limitations

  • The Salesforce Microsoft Graph connector doesn't currently support Apex based, territory-based sharing and sharing using personal groups from Salesforce.
  • There's a known bug in the Salesforce API the connector uses, where the private org-wide defaults for leads aren't honored currently.
  • If a field has field level security (FLS) set for a profile, the connector won't ingest that field for any profiles in that Salesforce org. As a result, users won't be able to search on values for those fields, nor will it show up in the results.
  • In the Manage Schema screen these common standard property names are listed once, the options are Query, Search, Retrieve, and Refine, and apply to all or none.
    • Name
    • Url
    • Description
    • Fax
    • Phone
    • MobilePhone
    • Email
    • Type
    • Title
    • AccountId
    • AccountName
    • AccountUrl
    • AccountOwner
    • AccountOwnerUrl
    • Owner
    • OwnerUrl
    • CreatedBy
    • CreatedByUrl
    • LastModifiedBy
    • LastModifiedByUrl
    • LastModifiedDate
    • ObjectName