What access is needed to configure inventory collection for Office 365 from the Graph API?
These are the current credentials as of June 2020. This KB will be updated alongside any changes from Microsoft.
The credentials required for the initial connection to Office 365 is the Cloud Administrator Access Role within Azure AD.
This role is required when generating the token, it can then be revoked after but please be aware that once the token has expired you will need this role again.
The other role that is currently required is the Reports Reader Role. This role is used to gather the information from the graph API. Without this role, the adapter will fail with the following error:
2020-05-20 18:38:22,776 [INFO ] Failed to execute Reader 'Get Usage from Office 365 Exchange' from file C:\ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Reader\microsoft 365\Usage.xml, at step line 1
Error: The remote server returned an error: (403) Forbidden.
2020-05-20 18:38:22,776 [INFO ] All retries have been attempted for Reader 'Get Usage from Office 365 Exchange'
2020-05-20 18:38:22,776 [INFO ] Completed with error in 51 minutes, 1 second.
2020-05-20 18:38:22,776 [ERROR] System.Net.WebException: The remote server returned an error: (403) Forbidden.
Cloud Administrator Access
The following link shows how you can assign a role within Azure AD