This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Alpesh
Flexera Alpesh
Flexera
‎Jun 14, 2019 12:32 AM

Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation

Hi Kyle,

Please review the following points and let us know if this helps you with the concerns you have raised in this post.

  •  Flexera’s O365 App is considered a native App and it is being used by Beacon, which is installed in the User’s environment. The credentials information is not stored on FNMS Cloud anywhere. Flexera’s O365 App uses the OAuth 2.0 authorization code grant to generate the token and get the data: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow 
  • If Flexera’s O365 App was a Web App and storing the refresh token on the Cloud Servers then we would need to use the Client Secret, as explained in the OAuth 2.0 Client Credentials Grant Process: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
  • This Microsoft article clearly explains the consent and Permissions process that our new O365 adapter uses --> https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
  • Also about Cloud Application Administration permissions getting misused, on following the article above you will see that anytime the actual permissions get changed, the user will be requested a dialog for consent. In the O365 adapter for FNMS, the permissions actually used are Directory.Read.All and Reports.Read.All and both these permissions can only be consented by an admin. Hence, the clould application administrator role is needed and also that the role cannot be misused without consent from the administrator again.

Thanks! 

Reply
Highlighted
mercym
mercym
Flexera beginner
‎Jul 09, 2019 04:15 AM

Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation

For a workaround I would suggest that the Office 365 with correct access (cloud admin) generate a token from their side and provide it to you, also remember they need to allow multi-tenant when creating the application.
0 Kudos
Reply
Highlighted
Ralph_Crowley
Ralph_Crowley
Active participant
‎Jul 20, 2019 12:06 PM

Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation

Did this work in your environment ? (having a token generated & provided to the flexnet beacon). Our admins have similar concerns about extending the cloud admin privileges. 

0 Kudos
Reply
Highlighted
mercym
mercym
Flexera beginner
‎Jul 23, 2019 03:34 AM

Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation

Hi

The token works, just remember to include the multi-tenant in Office 365.

Regards

Mercy

0 Kudos
Reply
Highlighted
winvarma
winvarma
Intrepid explorer
‎Aug 27, 2019 02:15 AM

Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation

The Azure cloud administrator is not receiving any kind of alerts when the Flexera Beacon is asking for the permissions and its working only when the flexera account from which the consent was sent should be assigned with the Cloud Application Administrator permissions and these permissions were not confined to the Flexera App itself , please suggest a workaround where in we can confine or restrict the permissions of the cloud application to particular app in this case flexera beacon
0 Kudos
Reply