cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Summary

What access is needed to configure inventory collection for Office 365 from the Graph API?

 

These are the current credentials as of June 2020. This KB will be updated alongside any changes from Microsoft.

 

Requirements

The credentials required for the initial connection to Office 365 is the Cloud Administrator Access Role within Azure AD.

This role is required when generating the token, it can then be revoked after but please be aware that once the token has expired you will need this role again.

 

The other role that is currently required is the Reports Reader Role. This role is used to gather the information from the graph API. Without this role, the adapter will fail with the following error:

 

2020-05-20 18:38:22,776 [INFO ] Failed to execute Reader 'Get Usage from Office 365 Exchange' from file C:\ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Reader\microsoft 365\Usage.xml, at step line 1

Error: The remote server returned an error: (403) Forbidden.

2020-05-20 18:38:22,776 [INFO ] All retries have been attempted for Reader 'Get Usage from Office 365 Exchange'

2020-05-20 18:38:22,776 [INFO ] Completed with error in 51 minutes, 1 second.

2020-05-20 18:38:22,776 [ERROR] System.Net.WebException: The remote server returned an error: (403) Forbidden.

 

Quick Answer

Cloud Administrator Access

Cloud app admin.png

Reports Reader 

 o365 reports reader.png

 

Links

The following link shows how you can assign a role within Azure AD

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user?tabs=new

Was this article helpful? Yes No
No ratings
Comments
mfranz
By Level 17 Champion
Level 17 Champion

Hi,

This article could need a bit more formatting. Please at least highlight the role names. If possible, please add a description and/or screenshot where to set the roles in the 365 cloud portal.

Best regards,

Markward

winvarma_MCI
By
Level 4

Hi , Roles required are as below.

 

Cloud Application Administrator and Report reader roles in Azure for gathering inventory from O365 tenant and if there are multiple tenants above role should be assigned from each tenant to gather O365 inventory from all the tenants.

 

Regards

Version history
Last update:
‎Jun 29, 2020 07:48 AM
Updated by: