Sam360 integrates with Microsoft 365 by importing the following data points once per day
- Tenant details
- Directory, user & device information
- Subscription entitlement and allocation information
- Usage data
- Sign in audit logs
To import this information, Sam360 creates an App Principal in the target Azure AD environment. The App Principal is configured with the following permissions
- Microsoft Graph -> User.Read.All
- Microsoft Graph -> Reports.Read.All
- Microsoft Graph -> Device.Read.All
- Microsoft Graph -> Directory.Read.All
- Microsoft Graph -> Organization.Read.All
- Microsoft Graph -> AuditLog.Read.All
A dedicated service principal is also created in the target Azure AD environment. The UPN of the service principal is called ‘Sam360IntegrationAccount@domain’ where ‘domain’ is the primary domain name of the Microsoft 365 tenant (e.g. Sam360IntegrationAccount@contoso.com) The service principal is added to the following administrator roles
- ‘Service Support Administrator’
- ‘View-Only Organization Management’
The App Principal key and Service Principal password are stored securely locally on the Management Point device. They are never transmitted to Sam360 servers. Both App and service principals can be disabled or deleted at any time in the target Azure AD environment.
To configure Microsoft 365 integration…
- Ensure that the required PowerShell modules are installed. Instructions here.
- Ensure that the Management Point user account can access the following URLs
- login.microsoftonline.com:443
- aadcdn.msauth.net:443
- graph.windows.net:443
- graph.microsoft.com:443
- ps.outlook.com:443
- Start the Management Point configuration tool. Instructions here.
- Click ‘Tasks’
- Click ‘Add Task’, ‘Cloud Service’, then ‘Office 365’
- Click ‘Set Up Office 365 Integration’
- A PowerShell script will execute in the background to create the App and Service Principals. The script will prompt for the credentials on an Microsoft 365 Tenant Administrator account up to 3 times The same account details should be used each time. These account details are not stored.
- Click ‘Test Settings’ to verify that the integration has been configured correctly.
- Click OK. The Management Point will connect to the Microsoft 365 service using the specified credentials and import all licensing relevant information.
By default, the Microsoft 365 reporting API anonymises application and services usage information. If usage data is anonymised, Sam360 can not determine which users are active or using their allocated subscriptions. Report data anonymisation is documented in this Microsoft support article. To disable anonymisation
- Go to the Microsoft 365 admin center.
- Go to Settings > Org Settings > Services.
- Select Reports.
- Clear Display concealed user, group, and site names in all reports, and then select Save.
The Sam360 Management Point uses the Office 365 integration PowerShell script from the open source SAM Gold Toolkit to query the Microsoft 365 service. The script does not make any changes to the Microsoft 365 environment – it only reads information.
Leave A Comment