cancel
Showing results for 
Search instead for 
Did you mean: 
Flexera Alpesh
Flexera

Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation

Hi Kyle,

Please review the following points and let us know if this helps you with the concerns you have raised in this post.

  •  Flexera’s O365 App is considered a native App and it is being used by Beacon, which is installed in the User’s environment. The credentials information is not stored on FNMS Cloud anywhere. Flexera’s O365 App uses the OAuth 2.0 authorization code grant to generate the token and get the data: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow 
  • If Flexera’s O365 App was a Web App and storing the refresh token on the Cloud Servers then we would need to use the Client Secret, as explained in the OAuth 2.0 Client Credentials Grant Process: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
  • This Microsoft article clearly explains the consent and Permissions process that our new O365 adapter uses --> https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
  • Also about Cloud Application Administration permissions getting misused, on following the article above you will see that anytime the actual permissions get changed, the user will be requested a dialog for consent. In the O365 adapter for FNMS, the permissions actually used are Directory.Read.All and Reports.Read.All and both these permissions can only be consented by an admin. Hence, the clould application administrator role is needed and also that the role cannot be misused without consent from the administrator again.

Thanks! 

Highlighted
mercym
Flexera beginner

Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation

For a workaround I would suggest that the Office 365 with correct access (cloud admin) generate a token from their side and provide it to you, also remember they need to allow multi-tenant when creating the application.
0 Kudos
Ralph_Crowley
Occasional contributor

Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation

Did this work in your environment ? (having a token generated & provided to the flexnet beacon). Our admins have similar concerns about extending the cloud admin privileges. 

0 Kudos
mercym
Flexera beginner

Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation

Hi

The token works, just remember to include the multi-tenant in Office 365.

Regards

Mercy

0 Kudos
winvarma
Active participant

Re: Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation

The Azure cloud administrator is not receiving any kind of alerts when the Flexera Beacon is asking for the permissions and its working only when the flexera account from which the consent was sent should be assigned with the Cloud Application Administrator permissions and these permissions were not confined to the Flexera App itself , please suggest a workaround where in we can confine or restrict the permissions of the cloud application to particular app in this case flexera beacon
0 Kudos