Microsoft 365 integration instructions - Multi-Tenant

A Microsoft 365 integration enables you to connect your client's apps, services, and data. This article walks you through the essential steps of configuring a Microsoft 365 integration, from ensuring you have the proper prerequisites and licenses in place to verifying connectivity and syncing user data.

Prerequisites

Before proceeding with the Microsoft 365 integration, please ensure the following requirements are met:

  • Manage Integrations Permission: Verify that the Manage integrations permission is enabled for the ScalePad Hub account. This permission is required to add integrations in Lifecycle Manager.
  • The user is an administrator of your Cloud Solution Provider (CSP) tenant.
  • You have established GDAP relationships with your customers, with the Global Administrator, Application Administrator, or Cloud Application GDAP role.
    • If the Global Administrator, Application Administrator, or Cloud Application Administrator GDAP role isn't used, the customer will need to manually consent to the application's access to their tenant.

Creating multiple instances

Lifecycle Manager supports setting up multiple instances of the Microsoft 365 multi-tenant integration directly through your account, without contacting Support for manual activation. 

Integration steps in Microsoft Azure

Creating the Lifecycle Manager application

We recommend creating a dedicated application that Lifecycle Manager uses to access device and software information.

  1. Sign in to Microsoft Azure as a Global Administrator, Application Administrator, or Cloud Application Administrator
  2. From the Azure Active Directory in the Azure Portal, navigate to Azure Active Directory App registrations.
  3. Click the +New Registration button.
    MS365_new_app_registration.png
  4. Enter a user-facing display name for the new application registration (for example, Lifecycle Manager MS365 multi-tenant).
  5. Under Supported account types, check Accounts in any organizational directory only (Any Microsoft Entra ID tenant - Multitenant) is selected. Leave the rest of the default settings as is.
  6. Click Register to create the application.
    MS365_new_app_MT_registration_create2.png
  7. Note the Application (client) ID under the newly created application.
    MS365_MT_client_ID.png

When adding the Microsoft 365 integration to Lifecycle Manager, you must add the Azure application (client) ID, and the Azure client secret value to the Microsoft 365 multi-tenant add integration page.

Configuring Lifecycle Manager permissions

Users/admins must grant permissions to applications before they can call APIs. For full functionality, the following permissions are required:

  • Microsoft Graph
    • AuditLog.Read.All
    • Directory.Read.All
    • Reports.Read.All
    • SecurityEvents.Read.All
    • ReportSettings.ReadWrite.All
    • User.Read.All - The User.Read.All permission is necessary to retrieve user data.
  • Microsoft Partner Center
    • User_impersonation (this is accessed under “API Permissions” -> “APIs my organization uses” and searching “Microsoft partner center”. User_impersonation is granted as a delegated permission.
  1. Within the created application, navigate to the API permissions section.
    MS365_MT_API_permission.png
  2. Click the Add a permission button.
  3. In the Request API permissions screen, select Microsoft Graph and then select Delegated permissions.
    MS365_Microsoft_Graph_API.png
    MS365_Microsoft_Graph_API_Delegated_permissions.png
  4. In the Select permissions section, click the arrows next to the required modules to expand each section or start typing the permission to filter the results.
    1. In the AuditLog module, select AuditLog.Read.All.
      MS365_AuditLog.Read.All.png
    2. In the Directory module, select Directory.Read.All.
      MS365_Directory.Read.All.png
    3. In the Reports module, select Reports.Read.All.
      MS365_Reports.Read.All.png
    4. In the SecurityEvents module, select SecurityEvents.Read.All.
      MS365_SecurityEvents.Read.All.png
    5. In the User module, select User.Read.All.
      MS365_User.Read.All.png
    6. In the ReportSettings module, select ReportSettings.ReadWrite.All.
      MS365_ReportSettings.ReadWrite.All.png
    7. Once all permissions are selected, click Add permissions.
      1. After selecting Add permissions, you must add administrator consent for each permission name. This is done by selecting Grant admin consent.
        MS365_Grant_consent.png
  5. Click the Add a permission button.
  6. In the Request API permissions screen, select Microsoft Graph and then select APIs my organization uses.
    MS365_APIs_organization_uses.png
  7. Select Microsoft Partner.
  8. Select Delegated Permissions.
  9. Select user_impersonation.
    MS365_user_impersonation.png

Configuring Lifecycle Manager application process

  1. Navigate to the Azure Active Directory Groups section
  2. Search for AdminAgents, and then select it. The name must only be AdminAgents.
  3. Navigate to the Members section for the group
  4. Select Add members, and search for the Lifecycle Manager application that was created (e.g. Lifecycle Manager MS365 multi-tenant), then click Select.

Granting Lifecycle Manager application access

Client secrets, also known as application passwords, are secret strings that the application uses to prove its identity when it requests a token.

  1. Within the created application, navigate to the Certificates & secrets section.
  2. In the Client secrets section, click the New client secret button.
    MS365_client_secret.png
  3. Add a description for the client secret. After entering a description, we recommend leaving the default expiry settings to 6 months.
  4. Click the Add button.
  5. Take note of the Client secret Value, as this value is required when adding the integration to Lifecycle Manager.
    1. Important: Keep the Client secret Value in a secure location. Once you navigate away, it is not recoverable.

Why 6 months for expiry? - We recommend 6 months because it strikes a balance between security and convenience. Microsoft’s guidelines simply require that the secret not be indefinite. Before a client secret expires, a new one can be created and saved in the existing integration with no downtime.

Authentication steps

Azure portal authentication

  1. Within the created application, navigate to the Authentication section on the left side of the Azure app management page.
    MS365_Authentication_menu.png
  2. Under Platform configurations, unless Web is already present, click Add a platform and choose Web.
    MS365_Authentication_add_platform_web.png
    1. If adding a new platform, enter https://app.scalepad.com/account/integration/oauth as the redirect URI, then click Configure.
    2. If the Web platform was already there, click Add URI and enter https://app.scalepad.com/account/integration/oauth, then click Save.
  3. Under Supported account types, check Accounts in any organizational directory only (Any Microsoft Entra ID tenant - Multitenant) is selected.

Adding credentials to Lifecycle Manager

  1. Within Lifecycle Manager, navigate to the Microsoft 365 multi tenant add integration page and fill in the following information gathered previously:
    1. Azure application (client) ID
    2. Azure client secret
  2. Click Connect now.
    MS365_MT_integration_main.png
  3. After the page has been saved, click Authorize, which will open a popup to a Microsoft authorization page to run through.

When you click Connect now, Lifecycle Manager performs a full sync. When finished, you should be able to view your hardware assets in your account, as well as any software assets.


Additional articles to read