Prepare Microsoft Cloud for Cloud Discovery

Before connecting Microsoft Azure, Microsoft Intune, or Microsoft 365 / Entra ID to Lansweeper, you need to set up your infrastructure to allow Cloud Discovery to access your Microsoft Cloud products.

Register a new application

1. Follow Microsoft’s documentation to Register an application in Microsoft Entra ID

2. After registration, save the following:

   • Application (client) ID

   • Directory (tenant) ID

You’ll need these values later in Lansweeper when creating the connection to your site.

Add Microsoft Graph API permissions

1. Follow Microsoft’s documentation to Add permissions to access Microsoft Graph.

2. Based on your discovery requirements, add the following permissions and grant Admin consent for each:

   Data	Permission type	Permission name
   Microsoft 365 / Entra ID (Organization and Users)	Application	Organization.Read.All, Directory.Read.All
   Microsoft Intune	Application	DeviceManagementManagedDevices.Read.All

   NOTE

   For Microsoft Azure , ensure the app has Reader access to each subscription you want to scan

Configure federated credentials

Federated credentials enable token exchange between FusionAuth and Azure, allowing Lansweeper Discovery to authenticate without stored secrets. For more information about federated credentials, see Configure an app to trust an external identity provider

1. In the Azure portal, go to your app registration and open Certificates & secrets > Federated credentials.

2. Select Add credential.

3. Under Federated credential scenario, choose Other issuer.

4. Configure the fields as follows:

   • Issuer: https://login.auth.lansweeper.com/6d02a192-efc6-a58a-e413-8abc60f3b067 (no trailing space or /)

   • Type: Explicit subject identifier

   • Value: 866d6f4d-c8fa-4342-9f6a-377932892ee0

   • Name: A descriptive name (e.g., LansweeperDiscoveryFederation)

   • Description: Optional

   • Audience: 866d6f4d-c8fa-4342-9f6a-377932892ee0

5. Save the configuration when complete.

Assign permissions for Azure resources

To allow the app to read Azure resources under a specific subscription:

1. Follow Microsoft’s documentation to Assign Azure roles using the Azure portal.

2. Assign the Reader role to the app registration.

Repeat for all target subscriptions.

Create and configure an Azure key vault

You’ll use Azure Key Vault to store your Lansweeper Site ID securely and provide API-access tokens to Lansweeper.

1. Follow Microsoft’s documentation to Create an Azure Key Vault guide to create a Key Vault.

2. Under Access configuration, select Vault access policy.

3. Add an Access policy granting all secret permissions to your account.

4. Create a new secret:

   1. Name: LansweeperSiteID

   2. Value: Your Lansweeper Site ID (find it in your site under Configuration > Site settings)

5. Grant the Get permission on secrets to your app registration.

6. After saving, copy the Vault URI for later use in Lansweeper Site configuration.

   For security, restrict access to the Key Vault by limiting inbound connections to Lansweeper IPs:

   • EU: 54.247.163.109, 54.247.185.164, 34.243.192.131

   • US: 3.143.85.134, 3.142.89.208, 3.133.69.44

Next steps

Now that you have prepared your Microsoft Cloud environment, you can create a Cloud Discovery action to connect with Lansweeper Sites.

• Create a cloud action - Microsoft Azure

• Create a cloud action - Microsoft Intune

• Create a cloud action - Microsoft 365 / Entra ID