Microsoft 365 Delegated Admin Setup

 

Setting up Lifecycle Insights for Microsoft 365 Data Integration

 

A Message about Microsoft Delegated Admin Privileges (GDAP)

Our Product / Engineering teams are researching ways to ensure MS365 Delegated Access permissions will work with GDAP enabled. Once we have a timeline for support, we will share it. In the meantime, please note that if you switch to GDAP and leave DAP permissions enabled, Microsoft Delegated Admin permissions will continue to work. If you disable DAP permissions, LCI will not be able to pull your MS365 information using Delegated Admin method.  At this time, if leaving DAP permissions enabled is NOT an option for you, please use the Direct Configuration method.

 

This document outlines the setup for Microsoft 365 Delegated Administration.  This would apply to Microsoft Cloud Partners certified for delegated administration.   It allows you to register an application in Azure Portal once and configure it to pull data from all tenants you have delegated administration rights for.

Total Estimated time: Less than 15 minutes

The purpose of this document is to instruct you on how to configure both Microsoft Azure Active Directory and Lifecycle Insights so that data integration can occur between the two platforms.  At this point, Lifecycle Insights pulls Microsoft 365 users with activated products.

This document is broken down into three sections.

  • Microsoft Configuration
    1. We will register an app within Azure Portal
    2. We will obtain the Application ID, and Directory ID for later input into Lifecycle Insights
    3. We will generate a Secret Key for later input into Lifecycle Insights
    4. We will set the required permissions for the app
    5. We will add the App Service Principal account to the AdminAgents group
  • Lifecycle Insights Configuration
    1. You will enter the 3 data points collected in the first step into the Office365 Configuration panel in Lifecycle Insights
    2. You will map Microsoft Tenants to LCI Companies and enable the Integration if appropriate.

 

Microsoft Azure Portal Configuration

 

Estimated Time: Less than 10 minutes

1. Log into your MSP Azure tenant that has the GDAP relationships defined for all of your Microsoft Customers -- https://portal.azure.com/

2. Under the Azure Services menu, select Microsoft Entra ID.


 
3. In the left Nav pane, click on App Registrations.

 

 

4. Click New Registration.

 

5. Enter information as follows:

  1. Name: Enter any meaningful name – IE. Lifecycle Insights
  2. Supported account types: Choose the second option (Multitenant)
  3. Redirect URI
  4. Click Register

 

7. Once you have clicked Register, we need the Application ID and the Client ID as shown in the app registration details page.  Click the Copy to clipboard icon beside Application ID and Client ID respectively and paste them into a text editor. You will need these later when setting up Lifecycle Insights.

 

 

8. In the second (from left) navigation pane under Manage, click on Certificates & secrets, then click on + New client secret.

 

 

9. In the Add client secret dialog, add a Description, change Expires to Max Value desired (IE 24 Months) and click Add.

 

 

10. We need the Secret Key.  Click the Copy to clipboard icon beside Secret Value and paste it into a text editor. You will need this later when setting up Lifecycle Insights.  Please do NOT copy the Secret ID!

 

 

*** Note, once you leave the page, the secret key will no longer be available for copying.  So please be sure to copy it now.

 

11. Click on API permissions under Manage in the left navigation pane.

 

12. By default, a User.Read permission is already added.  Click on User.Read, and then click Remove permission.  If prompted to confirm, click Yes, Remove.

 


 
 

 

13. Click + Add a permission, then in the Request API permissions page and choose Microsoft Graph

 

14. Click on Application Permissions ** Do NOT choose on Delegated Permissions

  1. Expand Audit and choose AuditLog.Read.All
  2. Expand Directory and choose Directory.Read.All
  3. Expand Reports and choose Reports.Read.All
  4. Expand SecurityEvents and chose SecurityEvents.Read.All
  5. Expand User and choose User.Read.All
  6. Click Add permissions

 

 

 

 

15. Finally, in the API Permissions main screen, click on Grant admin consent for <><></></>.  Click Yes when it asks you for confirmation.  ** Note - The Grant Admin Consent button may be above the permissions table.

 

**** If the Grant Admin Consent button is not on this page as shown above, then please perform the following:

Click on the application you just registered for Lifecycle Insights, then in the left Nav Pane click on Permissions under Security.  In the Permissions section, click Grant Admin Consent for <>.<></></>

 

 

 

At this point, the App is registered.  We now must add the Service Principal account associated with this app to the Admin Agents group.  This will provide consent to the app to perform the API lookups on each Microsoft tenant that you have delegated Admin rights to.

16. In the top search bar in Azure Portal, search for and select Groups

 

  1. Once in the Groups page, find and select AdminAgents.
  2. Once in AdminAgents group view, click on Members.

 

  1. Click + Add Members near the top.  When you click Add Members, a search bar will appear.  Copy and paste the Application (Client) ID you noted earlier.  When you do this, you will see the name of the app you registered earlier.  Click on that name, and then click Select.

 

You should now see the Service Principal Account added to the AdminAgents group!

 

UPDATE 2021.09.02

On August 30th, 2021 Microsoft introduced a subtle change to their default settings related to privacy.  Specifically, they have introduced a setting by default that will de-identify user data in their Usage Reports.   Meaning, instead of sending legitimate emails and names, they are sending a random string of data.

 

Microsoft has published an article regarding this topic.  To ensure the MS365 Integration returns real user information, you will need to follow the principles of this article to ensure identifiable information is returned from their API.

 

https://techcommunity.microsoft.com/t5/microsoft-365-blog/privacy-changes-to-microsoft-365-usage-analytics/ba-p/2694137

 

At the time when this article is published, the above-referenced article from MS did not contain the correct steps to address this issue.   These steps should work:

 

1.  Go to MS 365 Admin Center for each tenant

2.  Click on Settings Org Settings

3.  Click on Reports

4.  Uncheck 'In all reports, display de-identified names for users, groups and sites

 

Please note that Microsoft changes the interface frequently. Screenshots may reflect different versions.

 

Lifecycle Insights Configuration

 

Estimated time: 5 minutes

Earlier, when configuring Microsoft, you record 3 data points.  Specifically:

  • Application ID
  • Client ID
  • Secret Key

We will need to have access to those 3 data points to set up the Office365 Data Integration in Lifecycle Insights.

 

  1. Log into Lifecycle Insights using the username and password you created in the previous section.  The login URL is https://master.lifecycleinsights.io/signIn .
  2. Once logged in, notice the Left Navigation pane has an Integrations Option. Click on Integrations, then click Microsoft 365 tile as shown below.

 

 

 

1, Click on the Delegated API Credentials tab.

 

2. Next, please fill in the form and click Save Settings

  • Check Microsoft 365 Integration Active
  • Enter/paste the Application ID exactly as you recorded it earlier
  • Enter/paste the Directory ID exactly as you recorded it earlier
  • Enter/paste the Secret Key exactly as you recorded it earlier

 

 

3, After you click Save Settings, we will attempt to pull your Microsoft Tenant list.   You should then see a list of your Microsoft tenants in the Delegated Company Match tab.   If you do not see the tenants, you may try to click the Refresh Companies from MS365 button.   If there is an error, there is a problem with your app configuration in the Azure portal.

 

4. To enable Microsoft user and product lookups, you must match the Microsoft Company Name to LCI Company Name.  You must also check the Integration Enabled. checkbox.  

 

Alternatively, you can use the Auto-Mapping feature to match your companies (see below).

 

Update for GDAP.  

If you have disabled DAP for your MS tenants, you must explicitly grant consent to the Azure App for each of your customers mapped.   You can do this by clicking on the Grant Consent button for each customer.   When doing this, you will be prompted to log into Azure - you must log in using Admin Credentials for that customer.

More information about GDAP and the removal of DAP permissions can be found here: Microsoft 365 GDAP Update

 

Auto-Mapping

To use the auto-mapping feature, click the map companies button.

The system will try to match any exact or near exact matching company names and match those accordingly.  

 

 

 

When the auto-mapping is complete the companies that were matched are highlighted as green rows in the table.

 

 

 

 

The system attempts to find the most exact match for each company.  Some companies with slight name differences may not auto-map.  Please review the mapping to ensure that all desired companies are matched.   A counter of auto-matched companies is provided at the top of the table listing.

 

 

Non-exact matches may not map with the auto-mapping feature.  For example, if the LCI company is listed as My Company, LLC, but the company is registered in the MS database as My Company may not auto-match.  Review your matches, you can use the drop-down selector to match the companies

 

 

Click the Save Automap button at the top of the table to save your selections.  

If you would like to remap the companies, click the Refresh Companies button before saving. 

This will allow you to remap your companies.

 

 

 

LCI will attempt to sync your Microsoft 365 data nightly.  If you want to perform an on-demand sync click on the Log/Sync tab, and click Initiate Sync Now! button.   The sync should happen within a couple of minutes.  You may refresh the log by clicking on the Refresh log icon (next to the Initiate Sync Button) to check to ensure the sync occurred as you expected.