How to scan Azure Active Directory users and groups

From version 9.4 onward, Lansweeper is capable of scanning Azure Active Directory (AAD) users and groups using a new Azure Active Directory scanning target. This scanning target makes use of the Microsoft Cloud Service credential type, which can also be used to scan your Intune assets or M365 tenant. This credential makes use of Modern Authentication and the Microsoft Graph API, using application permissions.

To follow this article you must have already created a Microsoft Cloud Services application. This article explains what the prerequisites are, what permissions you'll need to add and how to setup Lansweeper to scan your Azure Active Directory.


To scan your Azure Active Directory make sure that:

  • You've already set up your Microsoft Cloud Services application.
  • You're in possession of your Microsoft Cloud Services application's Application (client) ID, Directory (tenant) ID, and Client secret or certificate. These are obtained when creating the application.

Adding permissions to the Microsoft Graph application to scan AAD data

Step 1: Click on the API permissions tab

Open your company's Azure portal, navigate to App registrations, click on the app you've already created and click on the API permissions tab in the left-hand menu.

On the API permissions page, click on the Add permission button and select Microsoft Graph from the API list.

As you're setting up the Microsoft Graph API to enforce modern authentication, you will need to add Application permissions. Click the Application permissions button.

Add the  Group.Read.All, GroupMember.Read.All  and User.Read.All API permissions. These are required to be able to scan all AAD data. Once the permissions are added, click the save button on the bottom of the page and double-check the permissions that are listed.

Step 2: Grant admin consent

The permissions are added but admin consent must still be granted. To do this, click the button Grant admin consent for <organization> and click the Grant button in the resulting pop-up. The added permissions should now show Granted for <organization>.

Setting up Lansweeper to scan your Azure Active Directory data

Step 1: Add a new credential

In the Lansweeper web console, navigate to the  Scanning\Scanning Credentials menu. In the scanning credentials section of the page, click the Add New Credential button.
Select credential type Microsoft Cloud Service, fill in the name, Application ID and Directory ID. Application ID and Directory ID are obtained when creating the Microsoft Cloud Services application.

Step 2: Select client secret or certificate thumbprint as authentication type

With Client Secret selected as the authentication type, add your client secret. This is obtained when creating the MS Graph app in Azure.

With Certificate Thumbprint selected as the authentication type, add your certificate thumbprint. This is obtained when creating the MS Graph app in Azure.

Step 3: Create the scanning target

When creating the Microsoft Cloud Service scanning credential, Lansweeper can automatically create a scanning target to scan your AAD data. To automatically create the scanning target, tick the designated checkbox and click the OK button. When you check Azure Active Directory, an AAD scanning target is automatically created and linked to this credential.

When multiple scanning targets are selected, ensure that the app has sufficient API permissions to scan the selected scanning targets. If you'd like to use the credential for both Microsoft 365 and AAD scanning for instance, make sure application permissions are set for both.

If you already have a Microsoft Cloud Services credential, you can add a new Azure Active Directory Scanning target to it via Scanning\Scanning Targets. During the creation of your AAD scanning target, you can select a pre-existing credential.

Related Articles

Get Started Right Away

Try Lansweeper for Free