From version 9.4 onward, Lansweeper is capable of scanning Azure Active Directory (AAD) users and groups using a new Azure Active Directory scanning target. This scanning target makes use of the Microsoft Cloud Service credential type, which can also be used to scan your Intune assets or M365 tenant. This credential makes use of Modern Authentication and the Microsoft Graph API, using application permissions.
To follow this article you must have already created a Microsoft Cloud Services application. This article explains what the prerequisites are, what permissions you'll need to add and how to setup Lansweeper to scan your Azure Active Directory.
To scan your Azure Active Directory make sure that:
- You've already set up your Microsoft Cloud Services application.
- You're in possession of your Microsoft Cloud Services application's Application (client) ID, Directory (tenant) ID, and Client secret or certificate. These are obtained when creating the application.
Adding permissions to the Microsoft Graph application to scan AAD data
Step 1: Click on the API permissions tab
Open your company's Azure portal, navigate to
App registrations, click on the app you've already created and click on the
API permissions tab in the left-hand menu.
On the API permissions page, click on the
Add permission button and select
Microsoft Graph from the API list.
As you're setting up the Microsoft Graph API to enforce modern authentication, you will need to add Application permissions. Click the
Application permissions button.
User.Read.All API permissions. These are required to be able to scan all AAD data. Once the permissions are added, click the
save button on the bottom of the page and double-check the permissions that are listed.
Step 2: Grant admin consent
The permissions are added but admin consent must still be granted. To do this, click the button
Grant admin consent for <organization> and click the
Grant button in the resulting pop-up. The added permissions should now show
Granted for <organization>.
Setting up Lansweeper to scan your Azure Active Directory data
Step 1: Add a new credential
In the Lansweeper web console, navigate to the
Scanning\Scanning Credentials menu. In the scanning credentials section of the page, click the
Add New Credential button.
Select credential type
Microsoft Cloud Service, fill in the name, Application ID and Directory ID. Application ID and Directory ID are obtained when creating the Microsoft Cloud Services application.
Step 2: Select client secret or certificate thumbprint as authentication type
With Client Secret selected as the authentication type, add your client secret. This is obtained when creating the MS Graph app in Azure.
With Certificate Thumbprint selected as the authentication type, add your certificate thumbprint. This is obtained when creating the MS Graph app in Azure.
Step 3: Create the scanning target
When creating the Microsoft Cloud Service scanning credential, Lansweeper can automatically create a scanning target to scan your AAD data. To automatically create the scanning target, tick the designated checkbox and click the OK button. When you check
Azure Active Directory, an AAD scanning target is automatically created and linked to this credential.
When multiple scanning targets are selected, ensure that the app has sufficient API permissions to scan the selected scanning targets. If you'd like to use the credential for both Microsoft 365 and AAD scanning for instance, make sure application permissions are set for both.