Microsoft 365 Client Credentials

Microsoft 365 is a cloud-based service that is designed to help meet your organization's needs for robust security, reliability, and user productivity. This integration creates a single connection to your Microsoft 365 Client Credentials subscription that includes Office 365, Dynamics 365, Power BI, Project, Visio, and any future applications added by Microsoft.

Important:This Microsoft 365 Client Credentials integration requires the authentication method OAuth2 with client credentials.

Information Stored
Minimum Permissions Required
Authentication Method
Credentials Required
License Types
Obtaining Client Credentials and Tenant ID
Integrating Microsoft 365 Client Credentials with SaaS Management
Auto-Populated Microsoft 365 Client Credentials License Information
Managing Available Microsoft 365 Client Credentials Licenses
Viewing the Hybrid Microsoft 365 Client Credentials Position
License Differentiation
Reclaiming Microsoft 365 Client Credentials User Licenses
API Endpoints

Information Stored

The following table describes the available integration tasks and stored data.

Available Integration Tasks

Integration Task

Information Stored

Application Roster

Email
First Name
Last Name
UPN (User Principal Name)
Active Date
Deactivated Date
Assigned Licenses

Application Access

Last Activity Date of the following applications:

Dynamics 365
Microsoft Exchange Server
Microsoft Teams
OneDrive
Outlook
Power BI
Project
SharePoint
Skype for Business
Visio
Yammer

Note:Application Access data for Microsoft Exchange Server, Microsoft Teams, Onedrive, Outlook, Sharepoint, Skype for Business, and Yammer is available 3 days after the event(s) occurs. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management for application access.

License Differentiation

See License Types and License Differentiation.

License Information

License Name
License Type
Purchased Quantity

Note:The above license information is retrieved every 24 hours. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management for license information.

Reclamation

Reclaiming SaaS licenses affects all of the users’ licenses within a SaaS integration. For example, a user has licenses for Office 365 Exchange, Outlook, and Yammer. However, the Software Asset Manager is only managing licenses for Office 365 Exchange and Outlook. Reclamation removes all three (Office 365 Exchange, Outlook, and Yammer) licenses from the user.

Note:The information stored is subject to change as enhancements are made to the product.

Minimum Permissions Required

Minimum API required permissions are based on the Application Permission and User Role .

Application Permission

Application Permission

Permission

Description

Integration Task Name

Directory.Read.All

To read the list of users in your Microsoft account

Application Roster, License Information

AuditLog.Read.All

To read the audit log details in your Microsoft account

Application Access

Reports.Read.All

To read the user access event details in your Microsoft account

Application Access

User.ReadWrite.All

This permission is required to modify the license assigned to the user.

Reclamation

User Role

User Role

Role

Description

Global Administrator

To grant the application permissions, the user must have Global Administrator access. For details, refer to the Microsoft documentation Azure AD Built-In Roles.

Authentication Method

OAuth2 with Client Credentials

For more information, see the Microsoft identity platform and the OAuth 2.0 client credentials flow.

Credentials Required

Client ID
Client Secret
Tenant ID

License Types

To learn more about the product names and service plan identifiers for Microsoft 365 licenses, refer to https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference 

Obtaining Client Credentials and Tenant ID

To obtain client credentials and tenant ID, perform the following steps.

To obtain Client Credentials and Tenant ID:

1. Log in to your Microsoft Azure Portal.
2. In the Search box at the top of the screen, enter App registrations and click App registrations in the search results to select it. The App registrations page opens.
3. Click New Registration. The Register an application page opens.
4. Enter a Name and choose the Accounts in this organizational directory only option.
5. Click Register.
6. On the Overview tab, copy the Application (client) ID and copy the Directory (tenant) ID to a location you can access later. You will need these values in Integrating Microsoft 365 Client Credentials with SaaS Management.
7. To generate a Client secret, do the following:
a. Click the Certificates & secrets tab.
b. Under Client secrets, click New client secret. The Add a client secret dialog box opens.
c. In the Description field, enter a name for the new secret.
d. Under Expires, choose an expiration value.
e. Click Add.
f. Under Client secrets, copy the client secret value. You will need this in Integrating Microsoft 365 Client Credentials with SaaS Management.
8. Click the API permissions tab and complete the following:
a. Click Microsoft Graph. The Request API permissions panel opens.
b. Click Application permissions.

Note:Do not select Delegated permissions. Delegated permissions will not work.

c. In the Select permissions search box, enter Directory and then click the arrow to expand Directory, and select the Directory.Read.All permission check box.
d. In the Select permissions search box, enter Reports and then click the arrow to expand Reports, and select the Reports.Read.All permission check box.
e. Click Update permissions.
f. In the Select permissions search box, enter AuditLog, click the arrow to expand AuditLog, and select the AuditLog.Read.All permission check box.
9. Once the permissions are added, grant admin consent.

Important:If you modify any permissions in the Microsoft Azure Portal that are used to create the tenant ID and client secret, you need to reauthorize the Microsoft 365 Client Credentials integration in SaaS Management by completing all the steps in the Integrating Microsoft 365 Client Credentials with SaaS Management section.

10. Complete Integrating Microsoft 365 Client Credentials with SaaS Management.

Integrating Microsoft 365 Client Credentials with SaaS Management

To integrate Microsoft 365 Client Credentials with SaaS Management, perform the following steps.

Best Practice:Flexera recommends creating the Microsoft 365 Client Credentials integration to view your organization’s Office 365 Client Credentials, Dynamics 365 Client Credentials, Power BI Client Credentials, Project Client Credentials, and Visio Client Credentials license usage data. Any existing Office 365 Client Credentials, Dynamics 365 Client Credentials, Power BI Client Credentials, Project Client Credentials, and Visio Client Credentials integrations in SaaS Management will be superseded by this new Microsoft 365 Client Credentials integration. To deactivate an existing integration, refer to Integrating Microsoft 365 Client Credentials Licenses from SaaS Management to IT Asset Management.

To integrate Microsoft 365 Client Credentials with SaaS Management:

1. In the Microsoft Azure Portal, enter your Global Administrator username and password to log in.
2. From your Microsoft account, copy the Client ID, Client Secret, and Tenant ID values.
3. In SaaS Management, add the Microsoft 365 Client Credentials application. Refer to Adding an Application.
4. In the Add Application screen for Microsoft 365 Client Credentials:
a. Select the Application Roster and Application Access integration tasks check boxes.
b. Paste the values copied into the Client ID, Client Secret, and Tenant ID fields.
c. Click Authorize.

After you have successfully integrated Microsoft 365 Client Credentials with SaaS Management, the following Microsoft information is available in the Users tab.

UPN (User Principal Name) column is a user filtering option.
License column has a dropdown list that only includes discovered and assigned licenses.
5. For further information on managing and optimizing your organization’s Microsoft 365 Client Credentials licenses, refer to:
Auto-Populated Microsoft 365 Client Credentials License Information
Managing Available Microsoft 365 Client Credentials Licenses
Viewing the Hybrid Microsoft 365 Client Credentials Position
License Differentiation
Reclaiming Microsoft 365 Client Credentials User Licenses

Auto-Populated Microsoft 365 Client Credentials License Information

The SaaS Management integration with Microsoft 365 Client Credentials offers a License Information integration task that automatically retrieves every 24 hours the name of the Microsoft 365 plan, license type, and total allowed number of licenses. This auto-populated Microsoft 365 Client Credentials license information provides a more complete view of your Microsoft SaaS entitlements and component usage by displaying:

Assigned entitlements.
User’s license activity (based on the user’s last login)
An 11 Services filter in the Microsoft 365 Client Credentials Activity tab, which helps you narrow the focus of your organization’s Microsoft 365 license activity.

Important:If you enable the License Information integration task, note the following:

The managed application's license information you previously entered in the Licenses Tab will be overwritten with the data ingested from Microsoft.
You need to enter and keep up to date the following Licenses Tab information. The License Information integration task does not pull in this information. The SaaS application’s annual spend calculation relies on entered and accurate license effective and ending dates.
Amount 
Currency 
Effective Date 
Ending Date 
Payment Frequency 
When the License Information integration task first discovers an active subscription, it will default the effective date to its discovery date and it will have an empty end date. As a result, the license term is effective and will not expire.
When the License Information integration task is disabled, the managed application's license information will be reverted back to what it was prior to the License Information integration task being enabled. As a result, your previously manually entered license information will appear in the Licenses Tab.
When the License Information integration task is re-enabled, the last automatic-captured license data that was available before disabling the License Information integration task will appear in the Licenses Tab.

To auto-populate Microsoft 365 Client Credentials license information:

1. From the SaaS menu, click Managed SaaS Applications. The Managed SaaS Applications screen appears.
2. For a new Microsoft 365 Client Credentials integration, add the Microsoft 365 Client Credentials application. Refer to Adding an Application. The License Information integration task is selected by default.
3. For an existing Microsoft 365 Client Credentials integration:
a. On the Managed SaaS Applications screen, select the appropriate Microsoft 365 Client Credentials instance link.
b. Navigate to the Microsoft 365 Client Credentials Application Details screen and select the Integration tab.
c. In the Integration Tasks table, click Disabled in the Action column to enable the License Information task.
d. Click OK.
4. When the License Information integration task is enabled, the License type, Name, and # of Items Allowed fields in the Microsoft 365 Client Credentials Licenses tab are disabled as this information is automatically populated. The active and inactive ingested license data from Microsoft can be compared against the Subscriptions data from the Licenses menu of the Microsoft 365 Admin Center.

Managing Available Microsoft 365 Client Credentials Licenses

Once the License Information integration task for Auto-Populated Microsoft 365 Client Credentials License Information is enabled, you can add or remove the Microsoft 365 Client Credentials product licenses you wish to manage within SaaS Management. Complete the following steps.

To manage available Microsoft 365 Client Credentials licenses:

1. In the Microsoft 365 Client Credentials Licenses tab, click the Manage Available Licenses button in License Details. The Manage Available Licenses slideout opens to display the Microsoft product licenses from your Microsoft portal.
2. Select the licenses you wish to manage and click Save.
3. When the Update Managed Licenses window appears, click Continue. It may take several minutes to recalculate the License Details data.

Note:Unselected licenses are not shown in SaaS Management and are filtered out from all calculations. For further details, refer to What happens when a Microsoft 365 Client Credentials license is filtered out?

What happens when a Microsoft 365 Client Credentials license is filtered out?

No license entry appears on the Microsoft 365Client Credentials Licenses tab, even when the Show Inactive switch is disabled.
Filtered out licenses are not included in annual spend calculations.
Filtered out licenses do not appear on the All SaaS Licenses page.
Filtered out licenses do not appear on the SaaS License Usage page when the Show License Details switch is enabled.
Users who are only entitled to licenses that have been filtered out do not appear in the Microsoft 365 Client Credentials Users tab.
Activity from users who are only entitled to licenses that have been filtered out does not appear in the Microsoft 365 Client Credentials Activity tab.
Since users in this filtered state are not listed in the Microsoft 365 Client Credentials Users tab, they also would not be flagged as reclamation opportunities.
Users in the filtered state would not count toward active/inactive/never/total usage counts from SaaS metrics.
The HR roster user entry would not show the user listed in the applications list if they have been filtered out.
A user in the filtered state would not be marked as suspicious, even if their HR roster entry were deactivated and they were still generating usage on Microsoft. The user in the filtered state has been effectively removed from the Application Roster and the Microsoft 365 Client Credentials Activity tab. Therefore, the user does not appear on the Suspicious SaaS Activities page.
If a user is not assigned any licenses, the user is filtered out of the Microsoft 365 Client Credentials Users tab.
When a Microsoft 365 Client Credentials license is not selected to be managed in SaaS Management, the license will also not appear in IT Asset Management when Viewing the Hybrid Microsoft 365 Client Credentials Position.

Viewing the Hybrid Microsoft 365 Client Credentials Position

At the top of the Microsoft 365 Client Credentials Overview tab, click the View the hybrid Microsoft position link to open Flexera’s IT Asset Management License Summary page. Then filter the Publisher name by Microsoft. Together, Flexera’s SaaS Management and IT Asset Management applications provide a complete view of your organization’s Microsoft online and traditional desktop usage.

Integrating Microsoft 365 Client Credentials Licenses from SaaS Management to IT Asset Management

To import the Microsoft 365 Client Credentials licenses from SaaS Management to Flexera’s IT Asset Management All Licenses page, which feeds to the License Summary page, ensure the Flexera SaaS Manager integration is enabled in the IT Asset Management Integrations tab. For details, refer to the IT Asset Management Settings: Integrations Tab section of the IT Asset Management documentation.

Follow the steps below to integrate Microsoft 365 Client Credentials licenses from Flexera’s SaaS Management to IT Asset Management.

To integrate Microsoft 365 Client Credentials Licenses from SaaS Management to IT Asset Management

1. In SaaS Management, disable the existing separate Office 365 Client Credentials, Power BI Client Credentials, Project Client Credentials, Visio Client Credentials, or Dynamics 365 Client Credentials integrations to delete the license information. To disable the integration, navigate to the managed SaaS application’s Overview tab. On the upper-right side of the Overview tab, click the Application Details link to open the Application Details window. In the Application Details window, click Deactivate.
2. When the Flexera SaaS Manager integration is enabled in the IT Asset Management settings, the Import Inventory job is executed overnight.
3. After the Import Inventory job is executed the next day, delete the Microsoft Client Credentials licenses now marked as “Retired” in IT Asset Management.

Note:Any purchases managed in IT Asset Management and associated to the now retired/deleted licenses will return back to an “Unprocessed purchase”.

Best Practice:To avoid confusion and potential license duplication, Flexera recommends that any licenses created in IT Asset Management for Project Client Credentials / Visio Client Credentials / Dynamics 365 Client Credentials be deleted as the new SaaS Management Microsoft 365 Client Credentials integration also creates these licenses with imported entitlement and consumption.

4. Set up the Microsoft 365 Client Credentials integration in SaaS Management per Integrating Microsoft 365 Client Credentials with SaaS Management.
5. After the Import Inventory job is executed in IT Asset Management the next day, the Flexera SaaS Manager integration creates all the Microsoft 365 licenses with purchase counts and consumption counts.

License Differentiation

SaaS Management offers a license differentiation feature that allows you to view users by license type. To view this license differentiation feature, navigate to the Activity tab of the Microsoft 365 Client Credentials App Details screen where you can filter and export the Microsoft 365 Client Credentials license types.

The total spend for the billable Microsoft 365 Client Credentials accounts displayed in the Microsoft 365 Client Credentials App Details screen is based on the Microsoft 365 Client Credentials license cost details entered in the License Details tab. For details, refer to Entering License Details for License Differentiation.

Identifying Microsoft 365 Client Credentials users who can have their license types downgraded

You can reduce SaaS spend by identifying and downgrading users who have never used the features of a more expensive license type. For F-type Microsoft subscriptions, follow the steps below. For E-Type Microsoft subscriptions, refer to Viewing the Hybrid Microsoft 365 Client Credentials Position.

To identify users of Microsoft 365 Client Credentials F-type subscriptions who can have their license types downgraded:

1. Select Never in the Activity column search.
2. Enter the name of the more expensive license type application in the Application column search.
3. Export your findings to a CSV and send it to your organization’s contact with the Administer SaaS or Manage SaaS application & users role (for details, refer to Flexera Roles) who can downgrade a user’s license for cost savings.

Reclaiming Microsoft 365 Client Credentials User Licenses

The following steps explain how to reclaim Microsoft 365 Client Credentials user licenses using the SaaS Management user interface.

To reclaim Microsoft 365 Client Credentials user licenses:

1. From the SaaS menu, click Managed SaaS Applications. The Managed SaaS Applications screen appears.
2. For a new Microsoft 365 Client Credentials integration:
a. Add the Microsoft 365 Client Credentials application. Refer to Adding an Application.
b. Select the Reclamation integration task from the Add Application screen.
c. Click Authorize.
d. Proceed to step 4.
3. For an existing Microsoft 365 Client Credentials integration:
a. On the Managed SaaS Applications screen, select the appropriate Microsoft 365 Client Credentials instance link.
b. Navigate to the Microsoft 365 Client Credentials Application Details screen and select the Integration tab.
c. In the Action column of the Integration Tasks table, click Disabled to enable the Reclamation integration task.
d. Click OK.
4. To reclaim Microsoft 365 Client Credentials licenses, refer to Reclaiming SaaS Licenses.

API Endpoints

Application Roster

https://graph.microsoft.com/v1.0/users

 

https://graph.microsoft.com/v1.0/subscribedSkus

Application Access

https://graph.microsoft.com/beta/reports/getOffice365ActiveUserDetail

 

https://graph.microsoft.com/beta/reports/getEmailActivityUserDetail

 

https://graph.microsoft.com/v1.0/auditLogs/signIns

License Information:

https://graph.microsoft.com/v1.0/subscribedSkus

Reclamation

https://graph.microsoft.com/v1.0/users{id | userPrincipalName}/assignLicense