Microsoft 365 Certificate Based Authentication
Microsoft 365 is a cloud-based service that is designed to help meet your organization's needs for robust security, reliability, and user productivity. This integration creates a single connection to your Microsoft 365 certificate-based authentication subscription that includes Office 365, Dynamics 365, Power BI, Project, Visio, and any future applications added by Microsoft.
Important:This Microsoft 365 integration requires the Azure AD certificate-based authentication method.
The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.
| • | Stored Microsoft 365 Certificate Based Authentication Information |
| • | Required Minimum Permissions for Microsoft 365 Certificate Based Authentication |
| • | Authentication Method for Microsoft 365 Certificate Based Authentication |
| • | Required Credentials for Microsoft 365 Certificate Based Authentication |
| • | Microsoft 365 Certificate Based Authentication License Types |
| • | Obtaining Client Credentials and Tenant ID for Microsoft 365 Certificate Based Authentication |
| • | Integrating Microsoft 365 Certificate Based Authentication With SaaS Management |
| • | Auto-Populated License Information for Microsoft 365 Certificate Based Authentication |
| • | Managing Available Licenses for Microsoft 365 Certificate Based Authentication |
| • | Viewing the Hybrid Microsoft 365 Certificate Based Authentication Position |
| • | Microsoft Power BI Reporting for Microsoft 365 Certificate Based Authentication |
| • | Microsoft 365 Certificate Based Authentication API Endpoints |
Stored Microsoft 365 Certificate Based Authentication Information
The following table describes the available integration tasks and stored data within [ProductName].
|
Available Integration Tasks |
Information Stored |
|||||||||||||||||||||||||||||||||||||||||||||
|
Application Roster |
Note:For existing Microsoft 365 integrations with SaaS Management, you need to reauthorize the integration by granting the additional UserAuthenticationMethod.Read.All permission to retrieve the multifactor authentication for the Users tab.
Important:When the AuditLog.Read.All permission is not granted, the Application Roster integration task will not fail, rather it will skip the Sign in to M365 Domain and retrieve the remaining Application Roster fields. |
|||||||||||||||||||||||||||||||||||||||||||||
|
Application Access |
Last Activity Date of the following applications:
Note:Consider the following:
Important:When the AuditLog.Read.All permission is not granted, the Application Access integration task will not fail, rather it will skip the activities for the Dynamics 365, Power BI, Project, and Visio applications and retrieve the activities for the remaining Microsoft 365 applications. |
|||||||||||||||||||||||||||||||||||||||||||||
|
License Differentiation |
See Microsoft 365 Certificate Based Authentication License Types and Tracking Application Activity by License Type for License Differentiation. |
|||||||||||||||||||||||||||||||||||||||||||||
|
License Information |
Note:The SaaS Management License Information integration task retrieves information once every 24 hours. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management. |
|||||||||||||||||||||||||||||||||||||||||||||
|
Reclamation |
Reclaiming SaaS licenses affects all the users’ licenses within a SaaS integration. For example, a user has licenses for Office 365 Exchange, Outlook, and Yammer. However, the Software Asset Manager is only managing licenses for Office 365 Exchange and Outlook. Reclamation removes all three (Office 365 Exchange, Outlook, and Yammer) licenses from the user. To reclaim Microsoft 365 certificate-based authentication SaaS licenses, see Reclaiming SaaS Licenses. |
Note:The information stored is subject to change as enhancements are made to the SaaS application.
Required Minimum Permissions for Microsoft 365 Certificate Based Authentication
The minimum API required permissions are based on the Required Application Permissions for Microsoft 365 Certificate Based Authentication and Required User Role for Microsoft 365 Certificate Based Authentication.
Required Application Permissions for Microsoft 365 Certificate Based Authentication
|
Application Permission |
Description |
Integration Task Name |
|
AuditLog.Read.All |
Enables you to read the user sign ins for your tenant. |
Application Access Application Roster |
|
Reports.Read.All |
Enables you to read the user access event details in your Microsoft account. |
Application Access |
|
UserAuthenticationMethod.Read.All |
Is required for retrieving the multifactor authentication details for the user. |
Application Roster |
|
Directory.Read.All and Reports.Read.All |
Enables you to read the list of users in your Microsoft account. |
Application Roster License Information |
|
User.ReadWrite.All |
Is required for modifying the license assigned to the user. |
Reclamation |
Required User Role for Microsoft 365 Certificate Based Authentication
Note:The following SaaS application user role is not applicable to Flexera One roles.
|
User Role |
Description |
|
Global Administrator |
To grant the application permissions, the user must have Global Administrator access. For more information, see Microsoft’s documentation topic, Microsoft Entra Built-In Roles. |
Authentication Method for Microsoft 365 Certificate Based Authentication
The required authentication method is Certificate-Based Authentication.
For more information, see Microsoft’s documentation topics:
| • | OAuth 2.0 Client Credentials Grant > Second Case: Access Token Request With a Certificate |
| • | Microsoft Identity Platform Application Authentication Certificate Credentials. |
Required Credentials for Microsoft 365 Certificate Based Authentication
The following credentials are required:
| • | Tenant ID |
| • | Client ID |
| • | iss |
| • | sub |
| • | Private Key |
| • | x5t. |
Microsoft 365 Certificate Based Authentication License Types
To learn more about the product names and service plan identifiers for Microsoft 365 licenses, see Microsoft’s documentation topic, Product Names and Service Plan Identifiers for Licensing.
Obtaining Client Credentials and Tenant ID for Microsoft 365 Certificate Based Authentication
Before Integrating Microsoft 365 Certificate Based Authentication With SaaS Management, you need to obtain client credentials and the tenant ID by completing the following steps.
To obtain Client Credentials and Tenant ID:
| 1. | Sign in to your Microsoft Azure Portal. |
| 2. | In the Search box at the top of the page, enter App registrations and click App registrations in the search results to select it. The App registrations page opens. |
| 3. | Click New Registration. The Register an application page opens. |
| 4. | Enter a Name and choose the Accounts in this organizational directory only option. |
| 5. | Click Register. |
| 6. | On the Overview tab, copy the Application (client) ID and copy the Directory (tenant) ID to a location you can access later. You will need these values in Integrating Microsoft 365 Certificate Based Authentication With SaaS Management. |
| 7. | Ensure the following prerequisites are enabled to complete steps 8 and 9. |
| • | PowerShell and OpenSSL are required to run commands. |
| • | To create self-signed certificates, use the commands referenced in Microsoft’s documentation topic, Create a Self-Signed Public Certificate to Authenticate Your Application. |
Important:Self-signed certificates are not trusted by default, and they can be difficult to maintain. Also, they may use outdated hash and cipher suites that may not be strong. For better security, purchase a certificate signed by a well-known certificate authority.
| 8. | Execute the following commands in PowerShell to generate a certificate’s Thumbprint (x5t) value. |
| a. | $certname = "{certificateName}" |
Example: $certname = "TestCert"
| b. | $cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 |
| c. | Export-Certificate -Cert $cert -FilePath "{Specify your preferred location}\{fileName}.cer" |
Example: Export-Certificate -Cert $cert -FilePath "D:\testFolder\CBAcert.cer"
| d. | After executing the commands in steps 8a to 8c, in the Microsoft Azure Portal go to the App Registrations page. From the left-hand navigation under the Manage menu, click Certificates & Secrets. Go to the Certificates tab and click Upload Certificate to upload the certificate (.cer) generated from step 8c. This step generates the Thumbprint value needed for the SaaS Management integration setup field x5t. For more information, see the following screenshot. |
| 9. | Execute the following commands in PowerShell to generate the certificate’s Private Key value. |
| a. | $mypwd = ConvertTo-SecureString -String "{Replace_with_your_password}" -Force -AsPlainText |
Example: $mypwd = ConvertTo-SecureString -String "Root@Pass123" -Force -AsPlainText
| b. | Export-PfxCertificate -Cert $cert -FilePath "{Specify your preferred location}\fileName.pfx" -Password $mypwd |
Example: Export-PfxCertificate -Cert $cert -FilePath "D:\testFolder\CBAcert.pfx" -Password $mypwd
| c. | OpenSSL pkcs12 -in {Specify your preferred location}\above_generated_pfx_file_name.pfx -out Specify your preferred location\file_name.cer -nodes |
Example: OpenSSL pkcs12 -in D:\testFolder\CBAcert.pfx -out D:\PoojaCert\private_key_file_name.cer -nodes
When this step’s command asks for a password, enter the password provided in step 9a. Example: Root@Pass123
After executing this step’s command, a private key file is generated. In this step’s command example, private_key_file_name.cer is the private key. The private key needs to be opened in an editor such as Notepad++ to copy the Private Key value for later access. This Private Key value will be pasted into the SaaS Management Private Key field while Integrating Microsoft 365 Certificate Based Authentication With SaaS Management.
| d. | From the private key file, copy only the content starting from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- For more information, see the following screenshot. |
| 10. | Proceed to Integrating Microsoft 365 Certificate Based Authentication With SaaS Management. |
Integrating Microsoft 365 Certificate Based Authentication With SaaS Management
To integrate Microsoft 365 Certificate Based Authentication with SaaS Management, perform the following steps.
To integrate Microsoft 365 Certificate Based Authentication with SaaS Management:
| 1. | In the Microsoft Azure Portal, enter your Global Administrator username and password to sign in. |
| 2. | From your Microsoft account, copy the following values described in Obtaining Client Credentials and Tenant ID for Microsoft 365 Certificate Based Authentication: |
| • | Tenant ID (copied from step 6) |
| • | Client ID (copied from step 6) |
| • | Private Key (copied from step 9d) |
| • | Thumbprint (same as x5t copied from step 8d). |
| 3. | In SaaS Management, add the Microsoft 365 Certificate Based Authentication application. For more information, see Adding an Application. |
| 4. | In the Add Application page for Microsoft 365 Certificate Based Authentication: |
| a. | Select the required integration task checkboxes. |
| b. | Paste the following values described in Obtaining Client Credentials and Tenant ID for Microsoft 365 Certificate Based Authentication into their respective SaaS Management integration setup fields: |
| • | Tenant ID (copied from step 6) |
| • | Client ID (copied from step 6) |
| • | iss (same as Client ID) |
| • | sub (same as Client ID) |
| • | Private Key (copied from step 9d) |
| • | x5t (same as Thumbprint copied from step 8d). |
| c. | Click Authorize. |
After you have successfully integrated Microsoft 365 Certificate Based Authentication with SaaS Management, the following Microsoft information is available in the Users tab.
|
Users Tab Column |
Description |
||||||
|
UPN |
This User Principal Name (UPN) column is a user filtering option. |
||||||
|
Licenses |
This column filters discovered and assigned Microsoft licenses. |
||||||
|
Activations |
This column lists the names of the on-premises products the user has activated. |
||||||
|
Mail Usage |
This column displays the user’s mailbox storage consumption in MB. |
||||||
|
OneDrive Usage |
This column displays the user’s OneDrive for Business (OD4B) storage consumption in MB. |
||||||
|
Windows |
Is the user using a Windows desktop machine? (Yes or No is displayed.) |
||||||
|
Mac |
Is the user using a Mac device? (Yes or No is displayed.) |
||||||
|
Mobile |
Is the user using a mobile device? (Yes or No is displayed.) |
||||||
|
Web |
Has the user accessed Microsoft 365 applications via a browser? (Yes or No is displayed.) |
||||||
|
onPremisesSync |
The following deployment options are displayed:
|
||||||
|
Block Credentials |
Are the user’s Microsoft 365 credentials blocked? (Yes or No is displayed.) Users with blocked credentials cannot access their Microsoft 365 account, which limits their account activity. Limited account activity due to blocked credentials may inaccurately reflect license downgrading or license reclamation opportunities. |
||||||
|
Is MFA Turned On |
Has the user turned on multifactor authentication (MFA) for their Microsoft 365 account? (Yes or No is displayed.) Users signing in to their Microsoft 365 account with multifactor authentication or single sign-on (SSO) should not have their licenses reclaimed. |
||||||
|
Last Used M365 Application |
Displays the Microsoft 365 application that was last used by the user. This application is based on the user activities retrieved by the Microsoft 365 integration with SaaS Management. If users are not using a more expensive application within a Microsoft 365 license, there may be opportunities to downgrade user licenses. |
||||||
|
Sign In to M365 Domain |
Displays a timestamp for the last time users signed in to their Microsoft 365 account. Infrequent user sign ins may provide license downgrading or license reclamation opportunities. Note:It is possible that the date in the Sign In to M365 Domain column may differ from the date in the Last Activity column. The Last Activity date refers to the last time users accessed a specific Microsoft 365 product such as Teams or Outlook. It is also possible for users to have a Sign In to M365 Domain value while never having used a Microsoft 365 application. These users would appear as Never under Last Activity. |
||||||
|
Days Since Last Activity |
This is the number of days since the user’s last activity. |
||||||
|
Guest |
Is the user a Guest (that is, not a permanent employee such as a contractor)? (Yes or No is displayed.) |
||||||
|
Title |
The job title of the user is provided by Active Directory. |
||||||
|
Country |
This is the geographical location of the user. |
||||||
|
Account Created Date |
This is the date the user’s Microsoft 365 account was created within the Microsoft portal. |
Note:Consider the following:
| • | Application Roster data such as Mail Usage, OneDrive Usage, Activations, Windows, Mac, Mobile, and Web is available 3 days after the event(s) occurs. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management for these Users tab columns, which are part of the Application Roster. |
| • | Flexera captures only the last 90 days of data for the following Users tab columns: Activations, Mail Usage, OneDrive Usage, Windows, Mac, Mobile, and Web. |
| • | Due to the current behavior of the Microsoft report API, if users have not activated any applications (Microsoft 365 apps for enterprise, Microsoft Project Online desktop client, Microsoft Visio desktop app, and Office Mobile apps for Office 365) 90 days from the date of the integration setup: the Activations column will be blank and display a "-" and for any new activations on day 91, the count will reflect on the Microsoft report API 3 days after the activation and will be retained in the report for the next 90 days. |
| • | Flexera obtains Activations data only when we activate the following Office 365 subscriptions such as Microsoft 365 apps for enterprise, Microsoft Project Online desktop client, Microsoft Visio desktop app, and Office Mobile apps for Office 365 across Windows and Mac machines (For more information, see Microsoft’s documentation topic, Microsoft 365 Reports in the Admin Center - Microsoft Office Activations). |
| • | Flexera obtains Yes values for the Windows, Mac, Mobile, and Web columns only when users perform activities in the following applications: Outlook, Word, Excel, PowerPoint, OneNote, and Teams (For more information, see Microsoft’s documentation topic, Microsoft 365 Reports in the Admin Center - Microsoft 365 Apps Usage). |
For further information on managing and optimizing your organization’s Microsoft 365 Certificate Based Authentication licenses, see:
| • | Auto-Populated License Information for Microsoft 365 Certificate Based Authentication |
| • | Managing Available Licenses for Microsoft 365 Certificate Based Authentication |
| • | Viewing the Hybrid Microsoft 365 Certificate Based Authentication Position |
| • | Microsoft Power BI Reporting for Microsoft 365 Certificate Based Authentication |
| • | Tracking Application Activity by License Type for License Differentiation |
| • | Reclaiming SaaS Licenses. |
Auto-Populated License Information for Microsoft 365 Certificate Based Authentication
The SaaS Management integration with Microsoft 365 Certificate Based Authentication offers a License Information integration task that automatically retrieves every 24 hours the name of the Microsoft 365 plan, license type, and total allowed number of licenses. This auto-populated Microsoft 365 Certificate Based Authentication license information provides a more complete view of your Microsoft SaaS entitlements and component usage by displaying:
| • | Assigned entitlements. |
| • | User’s license activity (based on the user’s last login) |
| • | An 11 Services filter in the Microsoft 365 Certificate Based Authentication Activity tab, which helps you narrow the focus of your organization’s Microsoft 365 license activity. |
Important:If you enable the License Information integration task, you need to enter and keep up to date the following Licenses Tab information. The License Information integration task does not pull in this information. The SaaS application’s annual spend calculation relies on entered and accurate license effective and ending dates.
| • | Amount |
| • | Currency |
| • | Effective Date |
| • | Payment Frequency |
| • | Ending Date |
To auto-populate Microsoft 365 Certificate Based Authentication license information, see Auto-Populating SaaS Application License Information. When the License Information integration task is enabled, the License type, Name, and # of Items Allowed fields in the Microsoft 365 Certificate Based Authentication Licenses tab are disabled as this information is automatically populated. The active and inactive ingested license data from Microsoft can be compared against the Subscriptions data from the Licenses menu of the Microsoft 365 Admin Center.
Managing Available Licenses for Microsoft 365 Certificate Based Authentication
After the License Information integration task for Auto-Populated License Information for Microsoft 365 Certificate Based Authentication is enabled, you can add or remove the Microsoft 365 Certificate Based Authentication product licenses you wish to manage within SaaS Management. To manage available Microsoft 365 Certificate Based Authentication licenses, see Managing Available Licenses for Microsoft 365 Certificate Based Authentication.
Note:Unselected licenses are not shown in SaaS Management and are filtered out from all calculations. When a Microsoft 365 Certificate Based Authentication license is not selected to be managed in SaaS Management, the license will also not appear in IT Asset Management when Viewing the Hybrid Microsoft 365 Certificate Based Authentication Position.
Viewing the Hybrid Microsoft 365 Certificate Based Authentication Position
While Microsoft 365 Certificate Based Authentication licenses are assigned and managed in the Cloud, many of the applications and functionality in the Microsoft licensing portal are locally installed on users’ devices. Due to the hybrid nature of Microsoft 365 Certificate Based Authentication licenses, it is beneficial to integrate Flexera One’s SaaS Management with IT Asset Management in order to manage the Cloud licenses and local installations.
In SaaS Management, at the top of the Microsoft 365 Certificate Based Authentication Overview tab, click the View the hybrid Microsoft 365 position link to open Flexera One’s IT Asset Management License Summary page. This page is automatically filtered to Publisher name is Microsoft. Together, Flexera One’s SaaS Management and IT Asset Management applications provide a complete view of your organization’s Microsoft online and traditional desktop usage.
When SaaS purchase order data is synchronized with Flexera One’s IT Asset Management to display the hybrid Microsoft position, you only need to manage your Microsoft purchases in Flexera One’s SaaS Management. You may wish to include the additional SaaS purchase order details in IT Asset Management. However, these IT Asset Management purchases for Microsoft will not impact a SaaS Management-created Microsoft Named User license in Flexera One’s IT Asset Management.
Best Practice:This best practice only applies to organizations that currently have a Microsoft 365 integration with SaaS Management. To avoid confusion and potential license duplication, Flexera recommends that any licenses created in IT Asset Management for Project / Visio / Dynamics 365 be deleted as the new SaaS Management Microsoft 365 Certificate Based Authentication integration also creates these licenses with imported entitlement and consumption. For more information, see Avoiding Duplicate Microsoft 365 Certificate Based Authentication Licenses between SaaS Management and IT Asset Management.
Avoiding Duplicate Microsoft 365 Certificate Based Authentication Licenses between SaaS Management and IT Asset Management
Note:The following section is not applicable to organizations that are integrating Microsoft 365 for the first time and have no previous Microsoft 365 integrations with SaaS Management.
To synchronize existing Microsoft 365 Certificate Based Authentication licenses between Flexera One’s SaaS Management and IT Asset Management All Licenses page, which feeds to the License Summary page, ensure the Flexera SaaS Manager integration is enabled in the IT Asset Management Integrations tab. For more information, see Flexera One’s IT Asset Management documentation topic, IT Asset Management Settings: Integrations Tab.
Complete the following steps to avoid duplicating Microsoft 365 Certificate Based Authentication licenses between Flexera One’s SaaS Management and IT Asset Management.
To remove Microsoft 365 Certificate Based Authentication licenses created in SaaS Management (and integrated with IT Asset Management) from IT Asset Management:
| 1. | In SaaS Management: |
| a. | Disable the existing separate Office 365 Client Credentials, Power BI Client Credentials, Project Client Credentials, Visio Client Credentials, or Dynamics 365 Client Credentials integrations to delete the license information. To disable the integration, go to the SaaS menu and click Managed SaaS Applications. The Managed SaaS Applications page opens. |
| b. | On the Managed SaaS Applications page, select the appropriate application’s instance link. The instance’s Overview tab opens by default. |
| c. | On the upper-right side of the Overview tab, click the Application Details link to open the Application Details window. In the Application Details window, click Deactivate. |
| 2. | In IT Asset Management: |
| a. | Ensure the Flexera SaaS Manager integration is enabled in the IT Asset Management Integrations tab. For more information, see Flexera One’s IT Asset Management documentation topic, IT Asset Management Settings: Integrations Tab. The Import Inventory job is executed overnight. |
| b. | After the Import Inventory job is executed the next day, delete the Microsoft licenses now marked as “Retired” in IT Asset Management. |
Note:Any purchases managed in IT Asset Management and associated to the now retired/deleted licenses will return an “Unprocessed purchase” response.
| c. | After the Import Inventory job is executed in IT Asset Management the next day, the Flexera SaaS Manager integration creates all the Microsoft 365 licenses with purchase counts and consumption counts. |
Note:Because the Microsoft purchase counts come from SaaS Management, any IT Asset Management purchases linked to the Microsoft license will not be reflected against the IT Management license totals for Microsoft Named User licenses (created from the SaaS Management integration) in the IT Asset Management All Licenses or License Summary page.
| 3. | In SaaS Management, set up the Microsoft 365 Certificate Based Authentication integration per Integrating Microsoft 365 Certificate Based Authentication With SaaS Management. |
Microsoft Power BI Reporting for Microsoft 365 Certificate Based Authentication
SaaS Management’s Microsoft Power BI report, which uses the SaaS Management API, provides the insights that enable improved governance and license management processes for complex Microsoft 365 environments. The Microsoft Power BI report insights can be shared with contacts within your organization who do not use SaaS Management.
To create the Microsoft Power BI report, see the Microsoft 365 Power BI Reporting for Flexera One's SaaS Management Knowledge Base article.
Microsoft 365 Certificate Based Authentication API Endpoints
Application Roster
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/beta/users
https://graph.microsoft.com/v1.0/subscribedSkus
https://graph.microsoft.com/beta/reports/getOffice365ActivationsUserDetail
https://graph.microsoft.com/beta/reports/getM365AppUserDetail
https://graph.microsoft.com/beta/reports/getOneDriveUsageAccountDetail
https://graph.microsoft.com/beta/reports/getMailboxUsageDetail
https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails
Application Access
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/beta/reports/getOffice365ActiveUserDetail
https://graph.microsoft.com/beta/reports/getEmailActivityUserDetail
https://graph.microsoft.com/v1.0/auditLogs/signIns
License Information:
https://graph.microsoft.com/v1.0/subscribedSkus
Reclamation
https://graph.microsoft.com/v1.0/users{id | userPrincipalName}/assignLicense