on
04-13-2021
08:30 PM
- edited on
01-03-2023
04:27 PM
by
Nils
Office 365 scanning was introduced in Lansweeper version 7.1. This implementation of O365 scanning made use of basic authentication. In Lansweeper 8.3 a new way of scanning O365 was introduced, using Modern Authentication.
To achieve this, we added a new scanning credential, Microsoft Cloud Service. This credential uses OAuth 2.0 to authenticate to a Microsoft Cloud Services application that uses a combination of Microsoft Graph and PowerShell online to read information from your O365 tenant. To follow this article you must have already created the Microsoft Cloud Services application that is required to scan O365.
This article explains what the prerequisites are, what permissions you'll need to add, the required configuration to retrieve mailbox and ActiveSync information via PowerShell and how to setup Lansweeper to scan your Office 365 data.
To scan Office 365 with a Microsoft Cloud Credential, make sure that:
The application that was previously created must now be given the permissions required to retrieve O365 information. Follow the steps below to achieve this.
Open your companies Azure portal, navigate to App registrations, click on the app you've already created and click on the API permissions tab in the left-hand menu.
On the API permissions page, click Add permission and select the Microsoft Graph from the API list.
As we are setting up the Graph API to enforce modern authentication, you will need to add Application permissions.
Add the API permissions listed in the table below. These are all required to scan your Office 365 data.
Directory.Read.All |
Read directory data |
Domain.Read.All |
Read domains |
Group.Read.All |
Read all groups |
GroupMember.Read.All |
Read all group memberships |
Organization.Read.All |
Read organization information |
OrgContact.Read.All |
Read organizational contacts |
User.Read.All |
Read all users' full profiles |
Once the permissions are added, click the Save button and double-check the permissions that are listed.
The permissions are added but admin consent must still be granted. Select Grant admin consent for <organization> and click the Grant button in the resulting pop-up.
All added permissions should now show Granted for <organization>.
It is possible to scan Office365 data using Microsoft Graph exclusively, but this will not include mailbox information or ActiveSync data. To retrieve this information, PowerShell Online must be used. To use PowerShell Online for scanning in addition to Microsoft Graph, follow the steps below.
To enable PowerShell Online scanning, note that:
Set-ExecutionPolicy RemoteSigned
The EXO V2 module or the Exchange Online PowerShell V2 module contains a small set of exclusive Exchange Online PowerShell cmdlets that are optimized for bulk data retrieval scenarios. The module uses modern authentication for all cmdlets. When creating your credential, keep in mind that PowerShell online with modern authentication requires a certificate thumbprint. To install the latest public version of the module, run the following command in an elevated PowerShell window.
Install-Module -Name ExchangeOnlineManagement
Login to your companies Azure portal and navigate to App registration. Select the MS Graph app that was set up for Office 365 scanning and copy the Application ID.
Once you've copied the Application ID, click the menu icon in the top left corner and navigate to Azure Active Directory. In the Azure Active Directory screen, select Roles and administrators. Search for Exchange and select the Exchange administrator role.
Click the Add assignments link and search for the application using the Application Id you've copied. Select the application and click the Add button to add the application to the group.
The final step is to grant the Office 365 Exchange Online the correct API permissions. To do this, navigate to App Registration again. Select API permissions in the left menu and click on Add permission. Instead of selecting the Microsoft Graph API as we did previously, you'll need to select the Office 365 Exchange Online API, which should already be in use. You can click on APIs my organization uses, search for Office 365 Exchange Online and select it.
Next, click on Application permissions, expand the Exchange item and select the Exchange.ManageAsApp permission.
Once the permissions are added, select Save and double-check the permissions that are listed.
The permission is added but the account you're logged on to Azure with still needs to be granted admin consent. To do this, click Grant admin consent for <organization> and select Grant in the resulting pop-up.
All permissions should now show Granted for <organization>.
In the Lansweeper web console, navigate to the Scanning > Scanning Credentials tab.
On the Scanning Credentials tab, click the Add New Credential button. Select credential type Microsoft Cloud Service, fill in the name, Application ID and Directory ID. Application ID and Directory ID are obtained when creating the Microsoft Cloud Services application.
If a Client secret is selected, add the client secret. This is obtained when creating the MS Graph app in Azure.
If a Certificate thumbprint is selected, add the certificate thumbprint. This is obtained when creating the MS Graph app in Azure.
When creating the Microsoft Cloud Service scanning credential, Lansweeper can automatically create a scanning target to scan your Office 365 data.
To automatically create the scanning target, tick the designated checkboxes and click OK. When you check Office 365 v2, an O365v2 scanning target is automatically created and linked to this credential. When multiple scanning targets are selected, ensure that the app has sufficient API permissions to scan the selected scanning targets. E.g. if you'd like to use the credential for both Office 365 scanning and Intune scanning, make sure application permissions are set for both.
Can you provide insight into how to obtain a proper certificate in order to create the thumbprint in Azure?
Hi,
Our M365 tenant is managed by our parent company which has a lot of objects in Azure AD that are irrelevant to our subsidiary.
Is there a way to scan only specific parts of the tenant, like how you can target specific OUs when you scan on-premise domains?
Otherwise, our licensing model will become expensive as we'll have to scan over 10,000 AzAD User, Group & Computer Objects, which isn't feasible.
Even if the response is no, that's better than no response.
Any help would be appreciated.