Skip to main content

Prepare Microsoft 365 connector

caution

To ensure security compliance for the SaaS integration with Microsoft 365, the connector has been updated to utilize least privileged permissions. Please update the application permissions to enable the latest connector enhancements. If the permissions are not updated, a warning will notify you of the missing permissions, however, the aggregation will continue to run.

The Microsoft 365 connector retrieves information about subscriptions, users and their organizational details, and some user activity. For detailed insights on user activity, see Activity for Microsoft applications on devices.

To enable the connector, configuration is required within the Microsoft Azure Portal. This includes registering a Graph API application, assigning the required API access, and granting Admin consent. Additionally, you are required to retrieve the Directory (tenant) ID and Application (Client) ID, generate a client secret, and enter these values in Settings when adding the connector.

note

These configuration steps typically should be done by the IT department at your organization or the Azure administrators.

Prerequisites

The user account used to create the app in Step 2:

  • If Microsoft Azure > User settings > Users can register applications is Yes, the user account used to create the app does not have to be assigned to a role.

  • If Microsoft Azure > User settings > Users can register applications is No, the user account used to create the app must be assigned to one of the following roles:

    • Global administrator

    • Application administrator

    • Cloud application administrator

    • Application developer

The user who grants administrator consent in Step 3.iii must be assigned to the Global administrator role.

Required application permissions for Microsoft 365

Application permissionDescription
LicenseAssignment.Read.AllEnables the application to read the commercial subscriptions that an organization has acquired.
User.Read.AllEnables the application to read the full set of profile properties on behalf of the signed-in user.
AuditLog.Read.AllEnables the application to read and query your audit log activities, without a signed-in user. Also, enables the application to read the state of a user's authentication methods, such as multifactor authentication.
Reports.Read.AllEnables the application to read the user access event details in your Microsoft account.
offline_accessEnables the application to generate the refresh token.

Procedure

  1. Sign in to the Microsoft Azure Portal: https://azure.microsoft.com/

  2. In App registrations, create an Azure Active Directory application.

    1. Set Supported account types to Accounts in this organizational directory only.

    2. Set Redirect URI to Web.

    3. In URI, enter http://localhost.

  3. Add API permissions to Microsoft Graph for the application you created.

    1. Configure Delegated permissions:

      1. Select Delegated permissions.

      2. Select offline_access in the list of permissions.

      3. Clear the User: User.Read permission, if it is selected.

    2. Configure Application permissions:

      • In the list of permissions, select LicenseAssignment.Read.All, User.Read.All, AuditLog.Read.All, and Reports.Read.All. For more details, see the table under the Required application permissions for Microsoft 365 in this topic.

    3. Select Grant admin consent for [your organization's name].

  4. In Certificates & secrets, create a new client secret with the following information:

    1. Enter a Description for the key, for your own reference.

    2. Set Expires to your desired value.

      caution

      When the client secret expires, the connector will not be able to import data.

      Regenerate the client secret when it expires and enter the new value in the connector Settings.

    3. To display the client secret, select Add.

      Copy and save the value. It is used when adding the connector.

  5. Copy and save Directory (tenant) ID and Application (client) ID for the application. They are used when adding the connector.

  6. When adding the connector in Snow Atlas, in Settings, enter the saved values according to the table.

    SettingValue from Microsoft Azure Portal
    Tenant IDDirectory (tenant) ID
    Client IDApplication (client) ID
    Client secretClient secret
    DomainsThe domains in your organization for which you want to collect data.
    • An asterisk, *, collects data for all domains connected to your organization, including user accounts without an email address, since the domain is in their User Principal Name. This is the default value.
    • One or several domains connected to your organization collects data only for those, and will exclude user accounts without the domain in their User Principal Name. One name per row.
    If you add both an asterisk and names, the asterisk takes precedence and data is collected for all domains.
    Note: When the asterisk is kept in this field, the connector retrieves all subscriptions and all users, including accounts with no email address. If you add domains, the connector imports users only for the specified domains. However, the connector imports the total number of assigned subscriptions for your organization from Microsoft, regardless of the domains entered. Therefore, if you add domains, there may be a mismatch in the SaaS pages between the number of users and the number of assigned subscriptions for Microsoft. Also note that if you have the SaaS connector for Microsoft Entra ID, you must populate the Domains field in the same way in both settings, otherwise the undesired data is collected anyway from Microsoft.

After completing this task, follow the general procedure to Add connectors.

The connector makes API calls to the vendor and retrieves data. For more information, see API calls and Data retrieved by the connector.

Flexera does not own the third party trademarks, software, products, or tools (collectively, the "Third Party Products") referenced herein. Third Party Product updates, including user interface updates, may not be reflected in this content.