
Flexera
- Mark as New
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Jun 14, 2019
12:32 AM
Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation
Hi Kyle,
Please review the following points and let us know if this helps you with the concerns you have raised in this post.
- Flexera’s O365 App is considered a native App and it is being used by Beacon, which is installed in the User’s environment. The credentials information is not stored on FNMS Cloud anywhere. Flexera’s O365 App uses the OAuth 2.0 authorization code grant to generate the token and get the data: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
- If Flexera’s O365 App was a Web App and storing the refresh token on the Cloud Servers then we would need to use the Client Secret, as explained in the OAuth 2.0 Client Credentials Grant Process: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
- This Microsoft article clearly explains the consent and Permissions process that our new O365 adapter uses --> https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
- Also about Cloud Application Administration permissions getting misused, on following the article above you will see that anytime the actual permissions get changed, the user will be requested a dialog for consent. In the O365 adapter for FNMS, the permissions actually used are Directory.Read.All and Reports.Read.All and both these permissions can only be consented by an admin. Hence, the clould application administrator role is needed and also that the role cannot be misused without consent from the administrator again.
Thanks!
mercym
Occasional contributor
- Mark as New
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Jul 09, 2019
04:15 AM
Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation
For a workaround I would suggest that the Office 365 with correct access (cloud admin) generate a token from their side and provide it to you, also remember they need to allow multi-tenant when creating the application.
Ralph_Crowley
Active participant
- Mark as New
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Jul 20, 2019
12:06 PM
Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation
Did this work in your environment ? (having a token generated & provided to the flexnet beacon). Our admins have similar concerns about extending the cloud admin privileges.
mercym
Occasional contributor
- Mark as New
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Jul 23, 2019
03:34 AM
Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation
Hi
The token works, just remember to include the multi-tenant in Office 365.
Regards
Mercy
winvarma
Consultant
- Mark as New
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Aug 27, 2019
02:15 AM
Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation
The Azure cloud administrator is not receiving any kind of alerts when the Flexera Beacon is asking for the permissions and its working only when the flexera account from which the consent was sent should be assigned with the Cloud Application Administrator permissions and these permissions were not confined to the Flexera App itself , please suggest a workaround where in we can confine or restrict the permissions of the cloud application to particular app in this case flexera beacon