How to scan Office 365 with a Microsoft Cloud Credential

Scanning Microsoft Cloud Services is a feature introduced in Lansweeper 8.3. If you are using an older Lansweeper release, you will need to update by following the instructions in this knowledge base article.

In Lansweeper version 7.1, Office 365 scanning was introduced. This implementation of O365 scanning made use of basic authentication. In Lansweeper 8.3 a new way of scanning O365 was introduced, using Modern Authentication. To achieve this, we added a new scanning credential, Microsoft Cloud Service. This credential uses OAuth 2.0 to authenticate to a Microsoft Cloud Services application that uses a combination of Microsoft Graph and PowerShell online to read information from your O365 tenant. To follow this article you must have already created the Microsoft Cloud Services application that is required to scan O365. This article explains what the prerequisites are, what permissions you'll need to add, the required configuration to retrieve mailbox and ActiveSync information via PowerShell and how to setup Lansweeper to scan your Office 365 data.

Prerequisites

To scan Office 365 with a Microsoft Cloud Credential, make sure that:

  • You've already set up your Microsoft Cloud Services application.
  • You're in possession of your Microsoft Cloud Services application's Application (client) ID, Directory (tenant) ID, and Client secret or certificate. These were obtained when creating the application.

Adding permissions to the Microsoft Graph application to scan Office 365 data

The application that was previously created must now be given the permissions required to retrieve O365 information. Follow the steps below to achieve this.

Step 1: API permissions in the Azure Portal

Open your companies Azure portal, navigate to App registrations, click on the app you've already created and click on the API permissions tab in the left-hand menu.

On the API permissions page, click on the Add permission button and select the Microsoft Graph from the API list.

As we are setting up the Graph API to enforce modern authentication, you will need to add Application permissions. Therefore, click the Application permissions button.

Add the API permissions listed in the table below. These are all required to scan your Office 365 data.

 

Directory.Read.All

Read directory data

Domain.Read.All

Read domains

Group.Read.All

Read all groups

GroupMember.Read.All

Read all group memberships

Organization.Read.All

Read organization information

OrgContact.Read.All

Read organizational contacts

User.Read.All

Read all users' full profiles

Once the permissions are added, click the save button on the bottom of the page and double-check the permissions that are listed.

Step 2: Grant admin consent

The permissions are added but admin consent must still be granted. To do this, click the button Grant admin consent for <organization> and click the Grant button in the resulting pop-up.

All added permissions should now show Granted for <organization>.

How to retrieve O365 mailbox and ActiveSync data using Powershell Online scanning

It is possible to scan Office365 data using Microsoft Graph exclusively, but this will not include mailbox information or ActiveSync data. To retrieve this information, PowerShell Online must be used. To use PowerShell Online for scanning in addition to Microsoft Graph, follow the steps below.

Your scanning credential must make use of a certificate thumbprint, not client secret, to use PowerShell Online scanning.

Step 1: PowerShell Online prerequisites

To enable PowerShell Online scanning, make sure that:

  • Your Lansweeper scanning server must be running Windows 7 or a more recent operating system.
  • Your Lansweeper scanning server must have a 64-bit architecture.
  • Your Lansweeper scanning server must have Windows PowerShell version 5.1. If you only just installed this PowerShell version, make sure to reboot your machine. Your scanning server may not have pending reboots.
  • Your Lansweeper scanning server must be configured to allow scripts that are signed by a trusted publisher. You can configure this by running the below command via an elevated PowerShell window on the scanning server.
Set-ExecutionPolicy RemoteSigned

Step 2: Install the EXO v2 module on your scanning server

The EXO V2 module or the Exchange Online PowerShell V2 module contains a small set of exclusive Exchange Online PowerShell cmdlets that are optimized for bulk data retrieval scenarios. The module uses modern authentication for all cmdlets, PowerShell online with modern authentication requires a certificate thumbprint, keep this in mind when creating your credential.

To install the latest public version of the module, run the command below in an elevated PowerShell window.

Install-Module -Name ExchangeOnlineManagement
The Exchange Online Powershell V2 module requires basic authentication to be enabled in WinRM. As per Microsoft's documentation this is required as "...the client-side WinRM implementation has no support for OAuth". More information, including how to check and enable Basic Auth for WinRM, can be found in the full EXO v2 prerequisites here.

Step 3: Add the Graph application in the Exchange administrator role

Login to your companies Azure portal and navigate to App registration. Select the MS Graph app that was set up for Office 365 scanning and copy the Application ID.

Once you've copied the Application ID, click on the menu icon in the top left corner and navigate to Azure Active Directory. In the Azure Active Directory screen, select Roles and administrators. Search for Exchange and select the Exchange administrator role.

Click the Add assignments link and search for the application using the Application Id you've copied.  Select the application and click the Add button to add the application to the group.

You have to search for the application using the Application Id as it is not in the list

Step 4: Assign and grant API permissions

The final step is to grant the Office 365 Exchange Online the correct API permissions. To do this, navigate to App Registration again. Select API permissions in the left menu and click on Add permission.

Instead of selecting the Microsoft Graph API as we did previously, you'll need to select the Office 365 Exchange Online API, which should already be in use. Therefore, you can click on APIs my organization uses, search for Office 365 Exchange Online and select it.

Next, click on Application permissions, expand the Exchange item and select the Exchange.ManageAsApp permission.

Step 5: Grant admin consent

Once the permissions are added, click the save button on the bottom of the page and double-check the permissions that are listed.

The permission is added but the account you're logged on to Azure with still needs to be granted admin consent. To do this, click the button Grant admin consent for <organization> and click the Grant button in the resulting pop-up.

All permissions should now show Granted for <organization>

 

How to set up Lansweeper to scan your Office 365 data

Step 1: Open the Lansweeper web console.

In the Lansweeper web console, navigate to the  Scanning\Scanning Credentials tab.

Step 2: Add a new credential.

On the Scanning Credentials tab, click the Add New Credential button.
Select credential type Microsoft Cloud Service, fill in the name, Application ID and Directory ID. Application ID and Directory ID are obtained when creating the Microsoft Cloud Services application.

Step 3: Select client secret or certificate thumbprint as authentication type.

If a Client secret is selected, add the client secret. (obtained when creating the MS Graph app in Azure)

If a Certificate thumbprint is selected, add the certificate thumbprint. (obtained when creating the MS Graph app in Azure)

To scan mailbox and ActiveSync information using PowerShell you must use the certificate thumbprint authentication type.

Step 4: Select the Scanning targets.

When creating the Microsoft Cloud Service scanning credential, Lansweeper can automatically create a scanning target to scan your Office 365 data. To automatically create the scanning target, tick the designated checkboxes and click the OK button. When you check Office 365 v2, an O365v2 scanning target is automatically created and linked to this credential.

When multiple scanning targets are selected, ensure that the app has sufficient API permissions to scan the selected scanning targets. E.g. if you'd like to use the credential for both Office 365 scanning and Intune scanning, make sure application permissions are set for both.

If no Scanning targets are selected when creating the scanning credential, create a scanning target manually via Scanning\Scanning Targets and map the scanning credential to the scanning target afterward.

 

Related Articles

Get Started Right Away

Try Lansweeper for Free