cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ErikT
Lansweeper Tech Support
Lansweeper Tech Support
Scanning Microsoft Cloud Services is a feature introduced in Lansweeper 8.3. If you are using an older Lansweeper release, you will need to update by following the instructions in this knowledge base article.

Office 365 scanning was introduced in Lansweeper version 7.1. This implementation of O365 scanning made use of basic authentication. In Lansweeper 8.3 a new way of scanning O365 was introduced, using Modern Authentication.

To achieve this, we added a new scanning credential, Microsoft Cloud Service. This credential uses OAuth 2.0 to authenticate to a Microsoft Cloud Services application that uses a combination of Microsoft Graph and PowerShell online to read information from your O365 tenant. To follow this article you must have already created the Microsoft Cloud Services application that is required to scan O365.

This article explains what the prerequisites are, what permissions you'll need to add, the required configuration to retrieve mailbox and ActiveSync information via PowerShell and how to setup Lansweeper to scan your Office 365 data.

Prerequisites

To scan Office 365 with a Microsoft Cloud Credential, make sure that:

  • You've already set up your Microsoft Cloud Services application.
  • You're in possession of your Microsoft Cloud Services application's Application (client) ID, Directory (tenant) ID, and Client secret or certificate. These were obtained when creating the application.

Adding permissions to the Microsoft Graph application to scan Office 365 data

The application that was previously created must now be given the permissions required to retrieve O365 information. Follow the steps below to achieve this.

Step 1: API permissions in the Azure Portal

Open your companies Azure portal, navigate to App registrations, click on the app you've already created and click on the API permissions tab in the left-hand menu.

Scanning-O365-with-a-Microsoft-cloud-credential-16.jpg

 On the API permissions page, click Add permission and select the Microsoft Graph from the API list.

Scanning_M365_with_a_Microsoft_cloud_credential_6.jpg

As we are setting up the Graph API to enforce modern authentication, you will need to add Application permissions.

Scanning_with_a_Microsoft_cloud_credential_6.jpg

Add the API permissions listed in the table below. These are all required to scan your Office 365 data.

Directory.Read.All

Read directory data

Domain.Read.All

Read domains

Group.Read.All

Read all groups

GroupMember.Read.All

Read all group memberships

Organization.Read.All

Read organization information

OrgContact.Read.All

Read organizational contacts

User.Read.All

Read all users' full profiles

Once the permissions are added, click the Save button and double-check the permissions that are listed. Scanning_with_a_Microsoft_cloud_credential_7.jpg

Step 2: Grant admin consent

The permissions are added but admin consent must still be granted. Select Grant admin consent for <organization> and click the Grant button in the resulting pop-up.

Scanning_with_a_Microsoft_cloud_credential_8.jpg

All added permissions should now show Granted for <organization>.

Scanning_with_a_Microsoft_cloud_credential_9.jpg

How to retrieve O365 mailbox and ActiveSync data using Powershell Online scanning

It is possible to scan Office365 data using Microsoft Graph exclusively, but this will not include mailbox information or ActiveSync data. To retrieve this information, PowerShell Online must be used. To use PowerShell Online for scanning in addition to Microsoft Graph, follow the steps below.

Your scanning credential must make use of a certificate thumbprint, not client secret, to use PowerShell Online scanning.

Step 1: PowerShell Online prerequisites

To enable PowerShell Online scanning, note that:

  • Your Lansweeper scanning server must be running Windows 7 or a more recent operating system.
  • Your Lansweeper scanning server must have a 64-bit architecture.
  • Your Lansweeper scanning server must have Windows PowerShell version 5.1. If you only just installed this PowerShell version, make sure to reboot your machine. Your scanning server may not have pending reboots.
  • Your Lansweeper scanning server must be configured to allow scripts that are signed by a trusted publisher. You can configure this by running the following command via an elevated PowerShell window on the scanning server.
Set-ExecutionPolicy RemoteSigned

Step 2: Install the EXO V2 module on your scanning server

The EXO V2 module or the Exchange Online PowerShell V2 module contains a small set of exclusive Exchange Online PowerShell cmdlets that are optimized for bulk data retrieval scenarios. The module uses modern authentication for all cmdlets. When creating your credential, keep in mind that PowerShell online with modern authentication requires a certificate thumbprint. To install the latest public version of the module, run the following command in an elevated PowerShell window.

Install-Module -Name ExchangeOnlineManagement
The Exchange Online Powershell V2 module requires basic authentication to be enabled in WinRM. As per Microsoft's documentation this is required as "...the client-side WinRM implementation has no support for OAuth".
More information, including how to check and enable Basic Auth for WinRM, can be found in the full EXO V2 prerequisites here.

Step 3: Add the Graph application in the Exchange administrator role

Login to your companies Azure portal and navigate to App registration. Select the MS Graph app that was set up for Office 365 scanning and copy the Application ID.

Scanning_M365_with_a_Microsoft_cloud_credential_7.jpg

Once you've copied the Application ID, click the menu icon in the top left corner and navigate to Azure Active Directory. In the Azure Active Directory screen, select Roles and administrators. Search for Exchange and select the Exchange administrator role.

Scanning_M365_with_a_Microsoft_cloud_credential_9.jpg

Click the Add assignments link and search for the application using the Application Id you've copied. Select the application and click the Add button to add the application to the group.

Scanning_M365_with_a_Microsoft_cloud_credential_10.jpg

You have to search for the application using the Application Id as it will not show up in the list.

Step 4: Assign and grant API permissions

The final step is to grant the Office 365 Exchange Online the correct API permissions. To do this, navigate to App Registration again. Select API permissions in the left menu and click on Add permission. Instead of selecting the Microsoft Graph API as we did previously, you'll need to select the Office 365 Exchange Online API, which should already be in use. You can click on APIs my organization uses, search for Office 365 Exchange Online and select it.

 

Scanning_M365_with_a_Microsoft_cloud_credential_11.jpg

Next, click on Application permissions, expand the Exchange item and select the Exchange.ManageAsApp permission.

Scanning_M365_with_a_Microsoft_cloud_credential_12.jpg

Step 5: Grant admin consent

Once the permissions are added, select Save and double-check the permissions that are listed.

Scanning_M365_with_a_Microsoft_cloud_credential_13.jpg

The permission is added but the account you're logged on to Azure with still needs to be granted admin consent. To do this, click Grant admin consent for <organization> and select Grant in the resulting pop-up.

Scanning_with_a_Microsoft_cloud_credential_8.jpg

All permissions should now show Granted for <organization>.

Scanning_M365_with_a_Microsoft_cloud_credential_14.jpg

How to set up Lansweeper to scan your Office 365 data

Step 1: Open the Lansweeper web console.

In the Lansweeper web console, navigate to the Scanning > Scanning Credentials tab.

Step 2: Add a new credential.

On the Scanning Credentials tab, click the Add New Credential button. Select credential type Microsoft Cloud Service, fill in the name, Application ID and Directory ID. Application ID and Directory ID are obtained when creating the Microsoft Cloud Services application.

Step 3: Select client secret or certificate thumbprint as authentication type.

If a Client secret is selected, add the client secret. This is obtained when creating the MS Graph app in Azure.

Scanning_M365_with_a_Microsoft_cloud_credential_1-1.jpg

If a Certificate thumbprint is selected, add the certificate thumbprint. This is obtained when creating the MS Graph app in Azure.

Scanning_M365_with_a_Microsoft_cloud_credential_4.jpg

To scan mailbox and ActiveSync information using PowerShell you must use the certificate thumbprint authentication type.

Step 4: Select the Scanning targets.

When creating the Microsoft Cloud Service scanning credential, Lansweeper can automatically create a scanning target to scan your Office 365 data.

To automatically create the scanning target, tick the designated checkboxes and click OK. When you check Office 365 v2, an O365v2 scanning target is automatically created and linked to this credential. When multiple scanning targets are selected, ensure that the app has sufficient API permissions to scan the selected scanning targets. E.g. if you'd like to use the credential for both Office 365 scanning and Intune scanning, make sure application permissions are set for both.

Scanning_M365_with_a_Microsoft_cloud_credential_5.jpg

If no Scanning targets are selected when creating the scanning credential, create a scanning target manually via Scanning > Scanning Targets and map the scanning credential to the scanning target afterward.
Comments
andejo55
Engaged Sweeper II

Can you provide insight into how to obtain a proper certificate in order to create the thumbprint in Azure?

Andrew963
Engaged Sweeper

Hi,

Our M365 tenant is managed by our parent company which has a lot of objects in Azure AD that are irrelevant to our subsidiary.

Is there a way to scan only specific parts of the tenant, like how you can target specific OUs when you scan on-premise domains?

Otherwise, our licensing model will become expensive as we'll have to scan over 10,000 AzAD User, Group & Computer Objects, which isn't feasible.

Even if the response is no, that's better than no response.

Any help would be appreciated.

New to Lansweeper?
Article Dashboard
Version history
Last update:
‎01-03-2023 04:27 PM
Updated by: