Showing results for 
Show  only  | Search instead for 
Did you mean: 


What access is needed to configure inventory collection for Office 365 from the Graph API?


These are the current credentials as of June 2020. This KB will be updated alongside any changes from Microsoft.



The credentials required for the initial connection to Office 365 is the Cloud Administrator Access Role within Azure AD.

This role is required when generating the token, it can then be revoked after but please be aware that once the token has expired you will need this role again.


The other role that is currently required is the Reports Reader Role. This role is used to gather the information from the graph API. Without this role, the adapter will fail with the following error:


2020-05-20 18:38:22,776 [INFO ] Failed to execute Reader 'Get Usage from Office 365 Exchange' from file C:\ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Reader\microsoft 365\Usage.xml, at step line 1

Error: The remote server returned an error: (403) Forbidden.

2020-05-20 18:38:22,776 [INFO ] All retries have been attempted for Reader 'Get Usage from Office 365 Exchange'

2020-05-20 18:38:22,776 [INFO ] Completed with error in 51 minutes, 1 second.

2020-05-20 18:38:22,776 [ERROR] System.Net.WebException: The remote server returned an error: (403) Forbidden.


Quick Answer

Cloud Administrator Access

Cloud app admin.png

Reports Reader 

 o365 reports reader.png



The following link shows how you can assign a role within Azure AD

Was this article helpful? Yes No
No ratings
By Level 17 Champion
Level 17 Champion


This article could need a bit more formatting. Please at least highlight the role names. If possible, please add a description and/or screenshot where to set the roles in the 365 cloud portal.

Best regards,


Level 4

Hi , Roles required are as below.


Cloud Application Administrator and Report reader roles in Azure for gathering inventory from O365 tenant and if there are multiple tenants above role should be assigned from each tenant to gather O365 inventory from all the tenants.



Version history
Last update:
‎Jun 29, 2020 07:48 AM
Updated by: