Microsoft 365 integration instructions - Single Tenant

A Microsoft 365 integration enables you to connect your client's apps, services, and data. This article walks you through the essential steps of configuring a Single-tenant Microsoft 365 integration, from ensuring you have the proper prerequisites and licenses to verifying connectivity and syncing user data.

A configured Azure application is required to grant Lifecycle Manager access to your information to integrate Microsoft 365 with Lifecycle Manager.

Prerequisites

Before proceeding with the Microsoft 365 single-tenant integration, please ensure the following requirements are met:

  • Manage Integrations Permission: Verify that the Manage integrations permission is enabled for the ScalePad Hub account. This permission is required to add integrations in Lifecycle Manager.
  • Administrator Credentials: From the Azure Navigation menu, under Roles and administrators, confirm that you have Global Administrator user credentials for Microsoft Azure.
    MS365_Roles_Administrators.png
  • A Microsoft work account, including organizations using Microsoft 365, alongside an active Intune subscription. The Intune component allows the integration to access and manage device data.
    • Through Intune’s device management endpoints, Lifecycle Manager can retrieve hardware details, compliance status, and software inventory. Without an active Intune subscription, these Intune-related data points would be unavailable for integration.

Creating multiple instances

Lifecycle Manager supports setting up multiple instances of the Microsoft 365 single-tenant integration directly through your account, without contacting Support for manual activation. Multiple single-tenant integrations allow you to maintain clear boundaries and proper data governance across client environments.

This separation allows you to:

  • Enforce Data Isolation: Keep each client’s data and configurations separate, aiding security and compliance.
  • Customize Access: Use unique Azure credentials and permissions for each tenant, enabling tailored integration settings per client.
  • Granular Management: Align each tenant’s integration with different policy or licensing needs (e.g., one client might use specific Intune configurations, while another has different requirements).

Integration steps in Microsoft Azure

Creating the Lifecycle Manager application

We recommend creating a dedicated application that Lifecycle Manager uses to access device and software information.

  1. Sign in to Microsoft Azure as a Global Administrator.
  2. From the Azure Active Directory in the Azure Portal, navigate to Azure Active Directory App registrations.
  3. Click the +New Registration button
    MS365_new_app_registration.png
  4. Enter a user-facing display name for the new application registration (for example, Lifecycle Manager Microsoft 365 single tenant Integration).
  5. Under Supported account types, check Accounts in this organizational directory only (product only - Single tenant) is selected. Leave the rest of the default settings as is.
  6. Click Register to create the application.
    MS365_new_app_registration_create.png
  7. Note the Application (client) ID and the Directory (tenant) ID under the newly created application.
    MS365_new_app_registration_IDs.png

When adding the Microsoft 365 integration to Lifecycle Manager, you must add the Azure (Directory) tenant ID, Azure application (client) ID, and the Azure client secret value to the Microsoft 365 single tenant add integration page.

Configuring Lifecycle Manager application permissions

Users/admins must grant permissions to applications before they can call APIs. For full functionality, the following permissions are required:

  • Microsoft Graph
    • AuditLog.Read.All
    • DeviceManagementApps.Read.All
    • DeviceManagementManagedDevices.Read.All
    • Organization.Read.All
    • User.Read.All - The User.Read.All permission is necessary to retrieve user data.
    • ReportSettings.ReadWrite.All
  1. Within the created application, navigate to the API permissions section.
    MS365_new_app_registration_API_permissions.png
  2. Click the Add a permission button.
    MS365_new_app_registration_API_permissions_add.png
  3. In the Request API permissions screen, select Microsoft Graph and then select Application permissions.
    MS365_Microsoft_Graph_API.png
    MS365_Microsoft_Graph_API_Application_permissions.png
  4. In the Select permissions section, click the arrows next to DeviceManagementManagedDevices, DeviceManagementManagedApps, and Organization to expand each section or start typing the permission to filter the results.
    1. In the AuditLog module, select AuditLog.Read.All.
      MS365_AuditLog.Read.All.png
    2. In the DeviceManagementApps module, select DeviceManagementApps.Read.All.
      MS365_DeviceManagementApps.Read.All.png
    3. In the DeviceManagementManagedDevices module, select DeviceManagementManagedDevices.Read.All.
      MS365_DeviceManagementManagedDevices.Read.All.png
    4. In the Organization module, select Organization.Read.All.
      MS365_Organization.Read.All.png
    5. In the User module, select User.Read.All.
      MS365_User.Read.All.png
    6. In the ReportSettings module, select ReportSettings.ReadWrite.All.
      MS365_ReportSettings.ReadWrite.All.png
  5. Once all permissions are selected, click Add permissions.
    1. After selecting Add permissions, you must add administrator consent for each permission name. This is done by selecting Grant admin consent.
      MS365_Grant_consent.png

Granting Lifecycle Manager application access

Client secrets, also known as application passwords, are secret strings the application uses to prove its identity when it requests a token.

  1. Within the created application, navigate to the Certificates & secrets section.
  2. In the Client secrets section, click the New client secret button.
    MS365_client_secret.png
  3. Add a description for the client secret. After entering a description, we recommend leaving the default expiry settings to 6 months.
  4. Click the Add button.
  5. Take note of the Client secret Value, as this value is required when adding the integration to Lifecycle Manager.
    1. Important: Keep the Client secret Value in a secure location. Once you navigate away, it is not recoverable.

Why 6 months for expiry? - We recommend 6 months because it strikes a balance between security and convenience. Microsoft’s guidelines simply require that the secret not be indefinite. Before a client secret expires, a new one can be created and saved in the existing integration with no downtime.

Authentication steps

Azure portal authentication

  1. Within the created application, navigate to the Authentication section on the left side of the Azure app management page.
    MS365_Authentication_menu.png
  2. Under Platform configurations, unless Web is already present, click Add a platform and choose Web.
    MS365_Authentication_add_platform_web.png
    1. If adding a new platform, enter https://app.scalepad.com/account/integration/oauth as the redirect URI, then click Configure.
    2. If the Web platform was already there, click Add URI and enter https://app.scalepad.com/account/integration/oauth, then click Save.
  3. Under Supported account types, check Accounts in this organizational directory only (product only - Single tenant) is selected.

Adding credentials to Lifecycle Manager

  1. Within Lifecycle Manager, navigate to the Microsoft 365 single tenant add integration page and fill in the following information gathered previously:
    1. Azure tenant ID
    2. Azure application (client) ID
    3. Azure client secret
  2. Click Connect now.
    MS365_ST_integration_main.png
  3. After the page has been saved, click Authorize, which will open a popup to a Microsoft authorization page to run through.

When you click Connect now, Lifecycle Manager performs a full sync. When finished, you should be able to view your hardware assets in your account, as well as any software assets.


Additional articles to read