Prepare Microsoft 365 connector
The Microsoft 365 connector retrieves information about subscriptions, users, and some user activity. See Activity for Microsoft applications on devices for more information on user activity.
In Microsoft Azure Portal, you are required to configure a Graph API application, add API access, and grant the application permissions. You are required to copy Directory (tenant) ID and Application (tenant) ID, create a client secret, and enter these values in Settings when adding the connector.
Prerequisites
The user account used to create the app in Step 2:
If Azure AD > User Settings > Users can register applications is Yes, the user account used to create the app does not have to be assigned to a role.
If Azure AD > User Settings > Users can register applications is No, the user account used to create the app must be assigned to one of the following roles:
Global administrator
Application administrator
Cloud application administrator
Application developer
The user who grants administrator consent in Step 3.c must be assigned to the Global administrator role.
Procedure
Sign in to the Microsoft Azure Portal: https://azure.microsoft.com/
In App registrations, create an Azure Active Directory application.
Set Supported account types to Accounts in this organizational directory only.
Set Redirect URI to Web.
In URI, enter
http://localhost.
Add API permissions to Microsoft Graph for the application you created.
Configure Delegated permissions:
Select Delegated permissions.
Select
offline_accessin the list of permissions.Clear the
User: User.Readpermission, if it is selected.
Configure Application permissions.
In the list of permissions, select:
Directory: Directory.Read.AllOrganization: Organization.Read.AllUser: User.Read.AllReports: Reports.Read.All
Select Grant admin consent for [your organization's name].
In Certificates & secrets, create a new client secret with the following information:
Enter a Description for the key, for your own reference.
Set Expires to your desired value.
Caution
When the client secret expires, the connector will not be able to run.
Regenerate the client secret when it expires and enter the new value in the connector Settings.
To display the client secret, select Add.
Copy and save the value. It is used when adding the connector.
Copy and save Directory (tenant) ID and Application (client) ID for the application. They are used when adding the connector.
When adding the connector, in Settings, enter the saved values according to the table.
Setting
Value from Microsoft Azure Portal
Tenant ID
Directory (tenant) ID
Client ID
Application (client) ID
Client secret
Client secret
Domains
The domains in your organization for which you want to collect data.
An asterisk,
*, collects data for all domains connected to your organization, including user accounts without email address. This is the default value.One or several domains connected to your organization collects data only for those, and will exclude user accounts without email address. One name per row.
If you add both an asterisk and names, the asterisk takes precedence and data is collected for all domains.
Note
When the asterisk is kept in this field, the connector retrieves all subscriptions and all users, including accounts with no email address.
If you add domains, the connector imports users only for the specified domains. However, the connector imports the total number of assigned subscriptions for your organization from Microsoft, regardless of entered domains.
Therefore, if you add domains, there may be a mismatch in the SaaS pages between the number of users and the number of assigned subscriptions for Microsoft.
Also note that if you have the SaaS connector for Microsoft Azure AD, you must populate the Domains field in the same way in both settings, otherwise the undesired data is collected anyway from Microsoft.
After completing this task, follow the general procedure to Add connectors.
The connector makes API calls to the vendor to retrieve data.