Salesforce Microsoft Graph connector
The Salesforce Microsoft Graph connector, allows your organization to index Contacts, Opportunities, Leads, Cases, and Accounts objects in your Salesforce instance. After you configure the connector and index content from Salesforce, end users can search for those items from any Microsoft Search client.
Read the Set up Microsoft Graph connectors in the Microsoft 365 admin center article to understand the general Microsoft Graph connectors setup instructions.
This article is for anyone who configures, runs, and monitors a Salesforce connector. It supplements the general setup process, and shows instructions that apply only for the Salesforce connector. This article also includes information about Limitations.
The Salesforce connector currently supports Summer '19 or later.
Before you get started
To connect to your Salesforce instance, you need your Salesforce instance URL, the Client ID, and Client Secret for OAuth authentication. The following steps explain how you or your Salesforce administrator can get this information from your Salesforce account:
Log in to your Salesforce instance and go to Setup
Navigate to Apps -> App Manager.
Select New connected app.
Complete the API section as follows:
Select the checkbox for Enable Oauth Settings.
Specify the Callback URL as: For M365 Enterprise:
https://gcs.office.com/v1.0/admin/oauth/callback, for M365 Government:
Select these required OAuth scopes.
Access and manage your data (api)
Perform requests on your behalf at any time (refresh_token, offline_access)
Select the checkbox for Require secret for web server flow.
Save the app.
Copy the consumer key and the consumer secret. This information will be used as the Client ID and the Client Secret when you configure the Connection Settings for your Graph Connector in the Microsoft 365 admin portal.
Before closing your Salesforce instance, follow these steps to ensure that refresh tokens don't expire:
- Go to Apps -> App Manager
- Find the app you created and select the drop-down on the right. Select Manage
- Select edit policies
- For refresh token policy, select Refresh token is valid until revoked
You can now use the Microsoft 365 Admin Center to complete the rest of the setup process for your Graph connector.
Step 1: Add a connector in the Microsoft 365 admin center
Follow the general setup instructions.
Step 2: Name the connection
Follow the general setup instructions.
Step 3: Configure the connection settings
For the Instance URL, use https://[domain].my.salesforce.com where domain would be the Salesforce domain for your organization.
Enter the Client ID and Client Secret you obtained from your Salesforce instance and select Sign in.
The first time you've attempted to sign in with these settings, you'll get a pop-up asking you to log in to Salesforce with your admin username and password. The screenshot below shows the popup. Enter your credentials and select "Log In".
If the pop up does not appear, it might be getting blocked in your browser, so you must allow pop-ups and redirects.
Check that the connection was successful by searching for a green banner that says "Connection successful" as show in the screenshot below.
Step 4: Select properties
Select the Salesforce objects that you want the connector to crawl and include in search results. If Contact is selected, Account will be automatically selected as well.
If a field has field level security (FLS) set for a profile, the connector won't ingest that field for any profiles in that Salesforce org. As a result, users won't be able to search on values for those fields, nor will it show up in the results.
Step 5: Manage search permissions
You'll need to choose which users will see search results from this data source. If you allow only certain Azure Active Directory (Azure AD) or Non-Azure AD users to see the search results, make sure you map the identities.
Step 5.a: Select permissions
You can choose to ingest Access Control Lists (ACLs) from your Salesforce instance, or allow everyone in your organization to see search results from this data source. ACLs can include Azure Active Directory (AAD) identities (users who are federated from Azure AD to Salesforce), non-Azure AD identities (native Salesforce users who have corresponding identities in Azure AD), or both.
If you use a third-party Identity Provider like Ping ID or secureAuth, you should select "non-AAD" as the identity type.
If you chose to ingest an ACL from your Salesforce instance and selected "non-AAD" for the identity type, see Map your non-Azure AD Identities for instructions on mapping the identities.
Step 5.b: Map AAD identities
If you chose to ingest an ACL from your Salesforce instance and selected "AAD" for the identity type, see Map your Azure AD Identities for instructions on mapping the identities. To learn how to set up Azure AD SSO for Salesforce, see this tutorial.
Apply user mapping to sync your Salesforce identities to Azure AD identities
In this video you can see the process to authenticate to your Salesforce instance, sync your non-Azure Active Directory identities to your Azure Active Directory identities, and apply the proper security trimmings to your Salesforce items.
Step 6: Assign property labels
You can assign a source property to each label by choosing from a menu of options. While this step is not mandatory, having some property labels will improve the search relevance and ensure better search results for end users. By default, some of the Labels like "Title," "URL," "CreatedBy," and "LastModifiedBy" have already been assigned source properties.
Step 7: Manage schema
You can select what source properties should be indexed so that they show up in search results. The connection wizard by default selects a search schema based on a set of source properties. You can modify it by selecting the check boxes for each property and attribute in the search schema page. Search schema attributes include Search, Query, Retrieve, and Refine. Refine allows you to define the properties that can be later used as custom refiners or filters in the search experience.
Step 8: Set the refresh schedule
The Salesforce connector only supports refresh schedules for full crawls currently.
A full crawl finds deleted objects and users that were previously synced to the Microsoft Search index.
The recommended schedule is one week for a full crawl.
Step 9: Review connection
Follow the general setup instructions.
Default Result type
- The Salesforce connector automatically registers a result type once the connector is published. The result type uses a dynamically generated result layout based on the fields selected in step 3.
- You can manage the result type by navigating to Result types in the Microsoft 365 admin center. The default result type will be named as "
ConnectionIdDefault". For example, if your connection id is
Salesforce, your result layout will be named: "SalesforceDefault"
- Also, you can choose to create your own result type if needed.
- The Salesforce Microsoft Graph connector doesn't currently support Apex based, territory-based sharing and sharing using personal groups from Salesforce.
- There's a known bug in the Salesforce API the connector uses, where the private org-wide defaults for leads aren't honored currently.
- If a field has field level security (FLS) set for a profile, the connector won't ingest that field for any profiles in that Salesforce org. As a result, users won't be able to search on values for those fields, nor will it show up in the results.
- In the Manage Schema screen these common standard property names are listed once, the options are Query, Search, Retrieve, and Refine, and apply to all or none.