Setting up Lifecycle Insights for Microsoft 365 Data Integration
This document outlines how to set up Microsoft 365 integration for each individual company. You would need to register an app for each of your Microsoft tenants. If you are a Microsoft CSP certified for delegated Administration, please consider following the Delegated Admin setup document.
Total Estimated time: Less than 15 minutes
The purpose of this document is to instruct you how to configure both Microsoft Azure Active Directory and Lifecycle Insights so that data integration can occur between the two platforms. At this point, Lifecycle Insights pulls Microsoft 365 users with activated products.
This document is broken down into three sections.
- Microsoft Configuration
- We will register an app within Admin Center
- We will obtain the Application ID, Directory ID for later input into Lifecycle Insights
- We will generate a Secret Key for later input into Lifecycle Insights
- We will set the required permissions for the app
- Lifecycle Insights Configuration
- You will enter the 3 data points collected in first step into Office365 Configuration panel in Lifecycle Insights
Microsoft Azure Active Directory Configuration
** This configuration requires that you have access to the Admin Center for each of your customers (Lifecycle Insights Company). The integration is defined at a Company level within Lifecycle Insights
Estimated Time: Less than 10 minutes
- Log into the portal.azure.com with the admin credentials for the Company whose integration you are setting up.
- Use the top search bar to locate “Azure Active Directory” and click on the icon under Services.
3. Click Azure Active Directory, then choose App Registrations.
4. Click New Registration.
5. Enter information as follows:
- Name: Enter any meaningful name – IE. Lifecycle Insights
- Supported account types: Choose the first option (single tenant)
- Redirect URI – leave blank
Click Register
6. In the left navigation pane, Click Azure Active Directory, then App registrations, then All Applications. Finally, click on the name of the application you just added.
7. We need the Application ID and the Client ID. Click the Copy to clipboard icon beside Application ID and Client ID respectively and paste them into a text editor. You will need these later when setting up Lifecycle Insights.
8. In the second (from left) navigation pane under Manage, click on Certificates & secrets, then click on + New client secret.
9. In the Add client secret dialog, add a Description, change Expires to Max Value desired (IE 24 Months) and click Add.
10. We need the Secret Key. Click the Copy to clipboard icon beside Secret Value and paste it into a text editor. You will need this later when setting up Lifecycle Insights. Please do NOT copy the Secret ID!
*** Note, once you leave the page, the secret key will no longer be available for copying. So please be sure to copy it now.
11. Click on API permissions under Manage in the left navigation pane. The click + Add a permission.
12. By default, a User.Read permission is already added. Click on User.Read, and then click Remove permission. If prompted to confirm, click Yes, Remove.
13. Click + Add a permission, then in the Request API permissions page and choose Microsoft Graph
14. Click on Application Permissions ** Do NOT choose on Delegated Permissions
- Expand Audit and choose AuditLog.Read.All
- Expand Directory and choose Directory.Read.All
- Expand Reports and choose Reports.Read.All
- Expand User and choose User.Read.All
- Expand SecurityEvents and chose SecurityEvents.Read.All
- Click Add permissions
15. Finally, in the API Permissions main screen, click on Grant admin consent for <><></></>. Click Yes when it asks you for confirmation. ** Note - The Grant Admin Consent button may be above the permissions table.
**** If the Grant Admin Consent button is not on this page as shown above, then please perform the following:
Click on the application you just registered for Lifecycle Insights, then in the left Nav Pane click on Permissions under Security. In the Permissions section, click Grant Admin Consent for <>.<></></>
.
UPDATE 2021.09.02
On August 30th, 2021 Microsoft introduced a subtle change to their default settings related to privacy. Specifically, they have introduced a setting by default that will de-identify user data in their Usage Reports. Meaning, instead of sending legitimate emails and names, they are sending a random string of data.
At LCI, we issue API calls that use the same endpoints as Microsoft's Usage Reports do. This means that by default, the users we pull from Microsoft are showing as the de-identified data in the User List (as opposed to their email address and name).
Microsoft has published an article regarding this topic. To have real user information come across to LCI, you will need to review this article and make the setting change to ensure that identifiable data can be shown.
This setting change is at the tenant/customer level. So please make sure you are making the change in the Admin Center for the tenant you set up the integration for.
** Note, this change is not just required for LCI. If you run any Usage Reports inside MS Admin Center, and want to see user names, email address - this change is required for that as well.
Lifecycle Insights Configuration
Estimated time: 5 minutes
Earlier, when configuring Microsoft, you record 3 data points. Specifically:
- Application ID
- Client ID
- Secret Key
We will need to have access those 3 data points to set up the Office365 Data Integration in Lifecycle Insights.
- Log into Lifecycle Insights using the username and password you created in the previous section. The login URL is: https://master.lifecycleinsights.io/signIn .
- Once logged in, notice the Left Navigation pane has an Integrations Option. Click on Integrations, then click Microsoft 365 tile as shown below.
- Click on the Direct Setup tab
- Click on the Company Name link that you are setting this up for.
A dialog box will open.
- Next, please fill in the form
- Choose the Company you want to set up the integration for
- Check Office365 Integration Active
- Enter/paste the Application ID exactly as you recorded it earlier
- Enter/paste the Directory ID exactly as you recorded it earlier
- Enter/paste the Secret Key exactly as you recorded it earlier
- Click Save Settings
- Click Close
LCI will attempt to sync your Microsoft 365 data nightly. If you want to perform an on-demand sync click on the Log/Sync tab, and click Initiate Sync Now! button. The sync should happen within a couple of minutes. You may refresh the log by click on the Refresh log icon (next to the Initiate Sync Button) to check to ensure sync occurred as you expected.