In Lansweeper version 7.1, Office 365 scanning was introduced. This implementation of O365 scanning made use of basic authentication. In Lansweeper 8.3 a new way of scanning O365 was introduced, using Modern Authentication. To achieve this, we added a new scanning credential, Microsoft Cloud Service. This credential uses OAuth 2.0 to authenticate to a Microsoft Cloud Services application that uses a combination of Microsoft Graph and PowerShell online to read information from your O365 tenant. To follow this article you must have already created the Microsoft Cloud Services application that is required to scan O365. This article explains what the prerequisites are, what permissions you'll need to add, the required configuration to retrieve mailbox and ActiveSync information via PowerShell and how to setup Lansweeper to scan your Office 365 data.
Prerequisites
To scan Office 365 with a Microsoft Cloud Credential, make sure that:
- You've already set up your Microsoft Cloud Services application.
- You're in possession of your Microsoft Cloud Services application's Application (client) ID, Directory (tenant) ID, and Client secret or certificate. These were obtained when creating the application.
Adding permissions to the Microsoft Graph application to scan Office 365 data
The application that was previously created must now be given the permissions required to retrieve O365 information. Follow the steps below to achieve this.
Step 1: API permissions in the Azure Portal
Open your companies Azure portal, navigate to App registrations, click on the app you've already created and click on the API permissions tab in the left-hand menu.
On the API permissions page, click on the Add permission button and select the Microsoft Graph from the API list.
As we are setting up the Graph API to enforce modern authentication, you will need to add Application permissions. Therefore, click the Application permissions button.
Add the API permissions listed in the table below. These are all required to scan your Office 365 data.
Directory.Read.All | Read directory data |
Domain.Read.All | Read domains |
Group.Read.All | Read all groups |
GroupMember.Read.All | Read all group memberships |
Organization.Read.All | Read organization information |
OrgContact.Read.All | Read organizational contacts |
User.Read.All | Read all users' full profiles |
Once the permissions are added, click the save button on the bottom of the page and double-check the permissions that are listed.
Step 2: Grant admin consent
The permissions are added but admin consent must still be granted. To do this, click the button Grant admin consent for <organization> and click the Grant button in the resulting pop-up.
All added permissions should now show Granted for <organization>.
How to retrieve O365 mailbox and ActiveSync data using Powershell Online scanning
It is possible to scan Office365 data using Microsoft Graph exclusively, but this will not include mailbox information or ActiveSync data. To retrieve this information, PowerShell Online must be used. To use PowerShell Online for scanning in addition to Microsoft Graph, follow the steps below.
Step 1: PowerShell Online prerequisites
To enable PowerShell Online scanning, make sure that:
- Your Lansweeper scanning server must be running Windows 7 or a more recent operating system.
- Your Lansweeper scanning server must have a 64-bit architecture.
- Your Lansweeper scanning server must have Windows PowerShell version 5.1. If you only just installed this PowerShell version, make sure to reboot your machine. Your scanning server may not have pending reboots.
- Your Lansweeper scanning server must be configured to allow scripts that are signed by a trusted publisher. You can configure this by running the below command via an elevated PowerShell window on the scanning server.
Set-ExecutionPolicy RemoteSigned
Step 2: Install the EXO v2 module on your scanning server
The EXO V2 module or the Exchange Online PowerShell V2 module contains a small set of exclusive Exchange Online PowerShell cmdlets that are optimized for bulk data retrieval scenarios. The module uses modern authentication for all cmdlets, PowerShell online with modern authentication requires a certificate thumbprint, keep this in mind when creating your credential.
To install the latest public version of the module, run the command below in an elevated PowerShell window.
Install-Module -Name ExchangeOnlineManagement
Step 3: Add the Graph application in the Exchange administrator role
Login to your companies Azure portal and navigate to App registration. Select the MS Graph app that was set up for Office 365 scanning and copy the Application ID.
Once you've copied the Application ID, click on the menu icon in the top left corner and navigate to Azure Active Directory. In the Azure Active Directory screen, select Roles and administrators. Search for Exchange and select the Exchange administrator role.
Click the Add assignments link and search for the application using the Application Id you've copied. Select the application and click the Add button to add the application to the group.
Step 4: Assign and grant API permissions
The final step is to grant the Office 365 Exchange Online the correct API permissions. To do this, navigate to App Registration again. Select API permissions in the left menu and click on Add permission.
Instead of selecting the Microsoft Graph API as we did previously, you'll need to select the Office 365 Exchange Online API, which should already be in use. Therefore, you can click on APIs my organization uses, search for Office 365 Exchange Online and select it.
Next, click on Application permissions, expand the Exchange item and select the Exchange.ManageAsApp permission.
Step 5: Grant admin consent
Once the permissions are added, click the save button on the bottom of the page and double-check the permissions that are listed.
The permission is added but the account you're logged on to Azure with still needs to be granted admin consent. To do this, click the button Grant admin consent for <organization> and click the Grant button in the resulting pop-up.
All permissions should now show Granted for <organization>
How to set up Lansweeper to scan your Office 365 data
Step 1: Open the Lansweeper web console.
In the Lansweeper web console, navigate to the Scanning\Scanning Credentials tab.
Step 2: Add a new credential.
On the Scanning Credentials tab, click the Add New Credential button.
Select credential type Microsoft Cloud Service, fill in the name, Application ID and Directory ID. Application ID and Directory ID are obtained when creating the Microsoft Cloud Services application.
Step 3: Select client secret or certificate thumbprint as authentication type.
If a Client secret is selected, add the client secret. (obtained when creating the MS Graph app in Azure)
If a Certificate thumbprint is selected, add the certificate thumbprint. (obtained when creating the MS Graph app in Azure)
Step 4: Select the Scanning targets.
When creating the Microsoft Cloud Service scanning credential, Lansweeper can automatically create a scanning target to scan your Office 365 data. To automatically create the scanning target, tick the designated checkboxes and click the OK button. When you check Office 365 v2, an O365v2 scanning target is automatically created and linked to this credential.
When multiple scanning targets are selected, ensure that the app has sufficient API permissions to scan the selected scanning targets. E.g. if you'd like to use the credential for both Office 365 scanning and Intune scanning, make sure application permissions are set for both.
