Summary
What access is needed to configure inventory collection for Office 365 from the Graph API?
These are the current credentials as of June 2020. This KB will be updated alongside any changes from Microsoft.
Requirements
The credentials required for the initial connection to Office 365 is the Cloud Administrator Access Role within Azure AD.
This role is required when generating the token, it can then be revoked after but please be aware that once the token has expired you will need this role again.
The other role that is currently required is the Reports Reader Role. This role is used to gather the information from the graph API. Without this role, the adapter will fail with the following error:
2020-05-20 18:38:22,776 [INFO ] Failed to execute Reader 'Get Usage from Office 365 Exchange' from file C:\ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Reader\microsoft 365\Usage.xml, at step line 1
Error: The remote server returned an error: (403) Forbidden.
2020-05-20 18:38:22,776 [INFO ] All retries have been attempted for Reader 'Get Usage from Office 365 Exchange'
2020-05-20 18:38:22,776 [INFO ] Completed with error in 51 minutes, 1 second.
2020-05-20 18:38:22,776 [ERROR] System.Net.WebException: The remote server returned an error: (403) Forbidden.
Quick Answer
Cloud Administrator Access
Reports Reader
Links
The following link shows how you can assign a role within Azure AD
Jun 26, 2020 02:54 AM - edited Jun 29, 2020 07:48 AM
Hi,
This article could need a bit more formatting. Please at least highlight the role names. If possible, please add a description and/or screenshot where to set the roles in the 365 cloud portal.
Best regards,
Markward
Hi , Roles required are as below.
Cloud Application Administrator and Report reader roles in Azure for gathering inventory from O365 tenant and if there are multiple tenants above role should be assigned from each tenant to gather O365 inventory from all the tenants.
Regards