Microsoft 365

Microsoft 365 is a cloud-based service that is designed to help meet your organization's needs for robust security, reliability, and user productivity. This integration creates a single connection to your Microsoft 365 subscription that includes Office 365, Dynamics 365, Power BI, Project, Visio, and any future applications added by Microsoft.

Information Stored
Minimum Permissions Required
Credentials Required
License Types
Integrating Microsoft 365 with SaaS Management
Auto-Populated Microsoft 365 License Information
Managing Available Microsoft 365 Licenses
Viewing the Hybrid Microsoft 365 Position
License Differentiation
Reclaiming Microsoft 365 User Licenses
API Endpoints

Information Stored

The following table describes the available integration tasks and stored data.

Available Integration Tasks

Integration Task

Information Stored

Application Roster

Email
First Name
Last Name
UPN (User Principal Name)
Active Date
Deactivated Date
Assigned Licenses

Application Access

Last Activity Date of the following applications:

Dynamics 365
Microsoft Exchange Server
Microsoft Teams
OneDrive
Outlook
Power BI
Project
SharePoint
Skype for Business
Visio
Yammer

Note:Application Access data for Microsoft Exchange Server, Microsoft Teams, Onedrive, Outlook, Sharepoint, Skype for Business, and Yammer is available 3 days after the event(s) occurs. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management for application access.

License Differentiation

See License Types and License Differentiation.

License Information

License Name
License Type
Purchased Quantity

Note:The above license information is retrieved every 24 hours. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management for license information.

Reclamation

Reclaiming SaaS licenses affects all of the users’ licenses within a SaaS integration. For example, a user has licenses for Office 365 Exchange, Outlook, and Yammer. However, the Software Asset Manager is only managing licenses for Office 365 Exchange and Outlook. Reclamation removes all three (Office 365 Exchange, Outlook, and Yammer) licenses from the user.

Note:The information stored is subject to change as enhancements are made to the product.

Minimum Permissions Required

Minimum API required permissions are based on the Application Permission and User Role .

Application Permission

Application Permission

Permission

Description

Integration Task Name

Directory.Read.All

To read the list of users in your Microsoft account

Application Roster, License Information

AuditLog.Read.All

To read the audit log details in your Microsoft account

Application Access

Reports.Read.All

To read the user access event details in your Microsoft account

Application Access

User.ReadWrite.All

This permission is required to modify the license assigned to the user.

Reclamation

Offline_access

This permission is necessary for the refresh token generation.

 

User Role

User Role

Role

Description

Application Administrator

To grant the application permissions, the user must have Application Administrator access. For details, refer to Microsoft’s description of the Application Administrator.

Reports Reader

This role is required for retrieving the Microsoft 365 activities report details.

License Administrator

This role is necessary for user license management in the reclamation task.

Best Practice:Once the Authorization is completed and the integration tasks are executed successfully, the user role can be reduced to the Report Reader role. Flexera recommends not to revoke the Report Reader role. This role is the minimum permission required after authorizing the integration. Revoking the Report Reader role will result in an Application Access integration task failure. Changing the user role password after authorizing the integration will also result in an Application Access integration task failure.

Authentication Method

OAuth2 with Authorize flow. For details, refer to the Microsoft OAuth2 authorization code flow documentation.

Credentials Required

Username
Password

Note:These credentials are required only for authorizing the application permissions. They are not stored in SaaS Management.

License Types

To learn more about the product names and service plan identifiers for Microsoft 365 licenses, refer to https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference 

Integrating Microsoft 365 with SaaS Management

To integrate Microsoft 365 with SaaS Management, perform the following steps.

Best Practice:Flexera recommends creating the Microsoft 365 integration to view your organization’s Office 365, Dynamics 365, Power BI, Project, and Visio license usage data. Any existing Office 365, Dynamics 365, Power BI, Project, and Visio integrations in SaaS Management will be superseded by this new Microsoft 365 integration. To deactivate an existing integration, refer to Integrating Microsoft 365 Licenses from SaaS Management to IT Asset Management.

To integrate Microsoft 365 with SaaS Management:

1. In SaaS Management, add the Microsoft 365 application. Refer to Adding an Application.
2. Click Authorize, which will redirect you to the Microsoft portal.
3. In the Microsoft portal, enter your Application Administrator username and password to log in.
4. In the Microsoft Permissions requested window, click Accept to authorize and provide access to the account for the APIs used in the integration.

After you have successfully integrated Microsoft 365 with SaaS Management, the following Microsoft information is available in the Users tab.

UPN (User Principal Name) column is a user filtering option.
License column has a dropdown list that only includes discovered and assigned licenses.
5. For further information on managing and optimizing your organization’s Microsoft 365 licenses, refer to:
Auto-Populated Microsoft 365 License Information
Managing Available Microsoft 365 Licenses
Viewing the Hybrid Microsoft 365 Position
License Differentiation
Reclaiming Microsoft 365 User Licenses

Auto-Populated Microsoft 365 License Information

The SaaS Management integration with Microsoft 365 offers a License Information integration task that automatically retrieves every 24 hours the name of the Microsoft 365 plan, license type, and total allowed number of licenses. This auto-populated Microsoft 365 license information provides a more complete view of your Microsoft SaaS entitlements and component usage by displaying:

Assigned entitlements.
User’s license activity (based on the user’s last login)
An 11 Services filter in the Microsoft 365 Activity tab, which helps you narrow the focus of your organization’s Microsoft 365 license activity.

Important:If you enable the License Information integration task, note the following:

The managed application's license information you previously entered in the Licenses Tab will be overwritten with the data ingested from Microsoft.
You need to enter and keep up to date the following Licenses Tab information. The License Information integration task does not pull in this information. The SaaS application’s annual spend calculation relies on entered and accurate license effective and ending dates.
Amount 
Currency 
Effective Date 
Ending Date 
Payment Frequency 
When the License Information integration task first discovers an active subscription, it defaults the effective date to its discovery date and displays an empty end date. As a result, the license term is effective and will not expire.
When the License Information integration task is disabled, the managed application's license information reverts to what it was prior to the License Information integration task being enabled. As a result, your previously manually entered license information appears in the Licenses Tab.
When the License Information integration task is re-enabled, the last automatic-captured license data that was available before disabling the License Information integration task appears in the Licenses Tab.

To auto-populate Microsoft 365 license information:

1. From the SaaS menu, click Managed SaaS Applications. The Managed SaaS Applications screen appears.
2. For a new Microsoft 365 integration, add the Microsoft 365 application. Refer to Adding an Application. The License Information integration task is selected by default.
3. For an existing Microsoft 365 integration:
a. On the Managed SaaS Applications screen, select the appropriate Microsoft 365 instance link.
b. Navigate to the Microsoft 365 Application Details screen and select the Integration tab.
c. In the Integration Tasks table, click Disabled in the Action column to enable the License Information task.
d. Click OK.
4. When the License Information integration task is enabled, the License type, Name, and # of Items Allowed fields in the Microsoft 365 Licenses tab are disabled as this information is automatically populated. The active and inactive ingested license data from Microsoft can be compared against the Subscriptions data from the Licenses menu of the Microsoft 365 Admin Center.

Managing Available Microsoft 365 Licenses

Once the License Information integration task for Auto-Populated Microsoft 365 License Information is enabled, you can add or remove the Microsoft 365 product licenses you wish to manage within SaaS Management. Complete the following steps.

To manage available Microsoft 365 licenses:

1. In the Microsoft 365 Licenses tab, click the Manage Available Licenses button in License Details. The Manage Available Licenses slideout opens to display the Microsoft product licenses from your Microsoft portal.
2. Select the licenses you wish to manage and click Save.
3. When the Update Managed Licenses window appears, click Continue. It may take several minutes to recalculate the License Details data.

Note:Unselected licenses are not shown in SaaS Management and are filtered out from all calculations. For further details, refer to What happens when a Microsoft 365 license is filtered out?

What happens when a Microsoft 365 license is filtered out?

No license entry appears on the Microsoft 365 Licenses tab, even when the Show Inactive switch is disabled.
Filtered out licenses are not included in annual spend calculations.
Filtered out licenses do not appear on the All SaaS Licenses page.
Filtered out licenses do not appear on the SaaS License Usage page when the Show License Details switch is enabled.
Users who are only entitled to licenses that have been filtered out do not appear in the Microsoft 365 Users tab.
Activity from users who are only entitled to licenses that have been filtered out does not appear in the Microsoft 365 Activity tab.
Since users in this filtered state are not listed in the Microsoft 365 Users tab, they also would not be flagged as reclamation opportunities.
Users in the filtered state would not count toward active/inactive/never/total usage counts from SaaS metrics.
The HR roster user entry would not show the user listed in the applications list if they have been filtered out.
A user in the filtered state would not be marked as suspicious, even if their HR roster entry were deactivated and they were still generating usage on Microsoft. The user in the filtered state has been effectively removed from the Application Roster and the Microsoft 365 Activity tab. Therefore, the user does not appear on the Suspicious SaaS Activities page.
If a user is not assigned any licenses, the user is filtered out of the Microsoft 365 Users tab.
When a Microsoft 365 license is not selected to be managed in SaaS Management, the license will also not appear in IT Asset Management when Viewing the Hybrid Microsoft 365 Position.

Viewing the Hybrid Microsoft 365 Position

At the top of the Microsoft 365 Overview tab, click the View the hybrid Microsoft 365 position link to open Flexera’s IT Asset Management License Summary page. Then filter the Publisher name by Microsoft. Together, Flexera’s SaaS Management and IT Asset Management applications provide a complete view of your organization’s Microsoft online and traditional desktop usage.

Integrating Microsoft 365 Licenses from SaaS Management to IT Asset Management

To import the Microsoft 365 licenses from SaaS Management to Flexera’s IT Asset Management All Licenses page, which feeds to the License Summary page, ensure the Flexera SaaS Manager integration is enabled in the IT Asset Management Integrations tab. For details, refer to the IT Asset Management Settings: Integrations Tab section of the IT Asset Management documentation.

Follow the steps below to integrate Microsoft 365 licenses from Flexera’s SaaS Management to IT Asset Management.

To integrate Microsoft 365 Licenses from SaaS Management to IT Asset Management

1. In SaaS Management, disable the existing separate Office 365, Power BI, Project, Visio, or Dynamics 365 integrations to delete the license information. To disable the integration, navigate to the managed SaaS application’s Overview tab. On the upper-right side of the Overview tab, click the Application Details link to open the Application Details window. In the Application Details window, click Deactivate.
2. When the Flexera SaaS Manager integration is enabled in the IT Asset Management settings, the Import Inventory job is executed overnight.
3. After the Import Inventory job is executed the next day, delete the Microsoft licenses now marked as “Retired” in IT Asset Management.

Note:Any purchases managed in IT Asset Management and associated to the now retired/deleted licenses will return back to an “Unprocessed purchase”.

Best Practice:To avoid confusion and potential license duplication, Flexera recommends that any licenses created in IT Asset Management for Project / Visio / Dynamics 365 be deleted as the new SaaS Management Microsoft 365 integration also creates these licenses with imported entitlement and consumption.

4. Set up the Microsoft 365 integration in SaaS Management per Integrating Microsoft 365 with SaaS Management.
5. After the Import Inventory job is executed in IT Asset Management the next day, the Flexera SaaS Manager integration creates all the Microsoft 365 licenses with purchase counts and consumption counts.

License Differentiation

SaaS Management offers a license differentiation feature that allows you to view users by license type. To view this license differentiation feature, navigate to the Activity tab of the Microsoft 365 App Details screen where you can filter and export the Microsoft 365 license types.

The total spend for the billable Microsoft 365 accounts displayed in the Microsoft 365 App Details screen is based on the Microsoft 365 license cost details entered in the License Details tab. For details, refer to Entering License Details for License Differentiation.

Identifying Microsoft 365 users who can have their license types downgraded

You can reduce SaaS spend by identifying and downgrading users who have never used the features of a more expensive license type. For F-type Microsoft subscriptions, follow the steps below. For E-Type Microsoft subscriptions, refer to Viewing the Hybrid Microsoft 365 Position.

To identify users of Microsoft 365 F-type subscriptions who can have their license types downgraded:

1. Select Never in the Activity column search.
2. Enter the name of the more expensive license type application in the Application column search.
3. Export your findings to a CSV and send it to your organization’s contact with the Administer SaaS or Manage SaaS application & users role (for details, refer to Flexera Roles) who can downgrade a user’s license for cost savings.

Reclaiming Microsoft 365 User Licenses

The following steps explain how to reclaim Microsoft 365 user licenses using the SaaS Management user interface.

To reclaim Microsoft 365 user licenses:

1. From the SaaS menu, click Managed SaaS Applications. The Managed SaaS Applications screen appears.
2. For a new Microsoft 365 integration:
a. Add the Microsoft 365 application. Refer to Adding an Application.
b. Select the Reclamation integration task from the Add Application screen.
c. Click Authorize.
d. Proceed to step 4.
3. For an existing Microsoft 365 integration:
a. On the Managed SaaS Applications screen, select the appropriate Microsoft 365 instance link.
b. Navigate to the Microsoft 365 Application Details screen and select the Integration tab.
c. In the Action column of the Integration Tasks table, click Disabled to enable the Reclamation integration task.
d. Click OK.
4. To reclaim Microsoft 365 licenses, refer to Reclaiming SaaS Licenses.

API Endpoints

Application Roster

https://graph.microsoft.com/v1.0/users

 

https://graph.microsoft.com/v1.0/subscribedSkus

Application Access

https://graph.microsoft.com/beta/reports/getOffice365ActiveUserDetail

 

https://graph.microsoft.com/beta/reports/getEmailActivityUserDetail

 

https://graph.microsoft.com/v1.0/auditLogs/signIns

 

License Information

https://graph.microsoft.com/v1.0/subscribedSkus

Reclamation

https://graph.microsoft.com/v1.0/users{id | userPrincipalName}/assignLicense