Microsoft 365
Microsoft 365 is a cloud-based service that is designed to help meet your organization's needs for robust security, reliability, and user productivity. This integration creates a single connection to your Microsoft 365 subscription that includes Office 365, Dynamics 365, Power BI, Project, Visio, and any future applications added by Microsoft.
| • | Information Stored |
| • | Minimum Permissions Required |
| • | Credentials Required |
| • | License Types |
| • | Integrating Microsoft 365 with SaaS Management |
| • | Auto-Populated Microsoft 365 License Information |
| • | Managing Available Microsoft 365 Licenses |
| • | Viewing the Hybrid Microsoft 365 Position |
| • | API Endpoints |
The following table describes the available integration tasks and stored data.
|
Available Integration Tasks |
Information Stored |
|||||||||||||||||||||||||||||||||
|
Application Roster |
|
|||||||||||||||||||||||||||||||||
|
Application Access |
Last Activity Date of the following applications:
Note:Application Access data for Microsoft Exchange Server, Microsoft Teams, OneDrive, Outlook, SharePoint, Skype for Business, and Yammer is available 3 days after the event(s) occurs. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management for application access. |
|||||||||||||||||||||||||||||||||
|
License Differentiation |
See License Types and Tracking Application Activity by License Type for License Differentiation. |
|||||||||||||||||||||||||||||||||
|
License Information |
Note:The above license information is retrieved every 24 hours. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management for license information. |
|||||||||||||||||||||||||||||||||
|
Reclamation |
Reclaiming SaaS licenses affects all the users’ licenses within a SaaS integration. For example, a user has licenses for Office 365 Exchange, Outlook, and Yammer. However, the Software Asset Manager is only managing licenses for Office 365 Exchange and Outlook. Reclamation removes all three (Office 365 Exchange, Outlook, and Yammer) licenses from the user. To reclaim Microsoft 365 SaaS licenses, refer to Reclaiming SaaS Licenses. |
Note:The information stored is subject to change as enhancements are made to the product.
Minimum API required permissions are based on the Application Permission and User Role .
|
Application Permission |
Description |
Integration Task Name |
|
Directory.Read.All and Reports.Read.All |
To read the list of users in your Microsoft account |
Application Roster, License Information |
|
AuditLog.Read.All |
To read the audit log details in your Microsoft account |
Application Access |
|
Reports.Read.All |
To read the user access event details in your Microsoft account |
Application Access |
|
User.ReadWrite.All |
This permission is required to modify the license assigned to the user. |
Reclamation |
|
Offline_access |
This permission is necessary for the refresh token generation. |
|
|
User Role |
Description |
|
Application Administrator |
To grant the application permissions, the user must have Application Administrator access. For details, refer to Microsoft’s description of the Application Administrator. |
|
Reports Reader |
This role is required for retrieving the Microsoft 365 activities report details. |
|
License Administrator |
This role is necessary for user license management in the reclamation task. |
Best Practice:Once the Authorization is completed and the integration tasks are executed successfully, the user role can be reduced to the Report Reader role. Flexera recommends not to revoke the Report Reader role. This role is the minimum permission required after authorizing the integration. Revoking the Report Reader role will result in an Application Access integration task failure. Changing the user role password after authorizing the integration will also result in an Application Access integration task failure.
Authentication Method
OAuth2 with Authorize flow. For details, refer to the Microsoft OAuth2 authorization code flow documentation.
| • | Username |
| • | Password |
Note:These credentials are required only for authorizing the application permissions. They are not stored in SaaS Management.
To learn more about the product names and service plan identifiers for Microsoft 365 licenses, refer to the Microsoft documentation section Product names and service plan identifiers for licensing.
Integrating Microsoft 365 with SaaS Management
To integrate Microsoft 365 with SaaS Management, perform the following steps.
Best Practice:Flexera recommends creating the Microsoft 365 integration to view your organization’s Office 365, Dynamics 365, Power BI, Project, and Visio license usage data. Any existing Office 365, Dynamics 365, Power BI, Project, and Visio integrations in SaaS Management will be superseded by this new Microsoft 365 integration. To deactivate an existing integration, refer to Avoiding Duplicate Microsoft 365 Licenses between SaaS Management and IT Asset Management.
To integrate Microsoft 365 with SaaS Management:
| 1. | In SaaS Management, add the Microsoft 365 application. Refer to Adding an Application. |
| 2. | Click Authorize, which will redirect you to the Microsoft portal. |
| 3. | In the Microsoft portal, enter your Application Administrator username and password to log in. |
| 4. | In the Microsoft Permissions requested window, click Accept to authorize and provide access to the account for the APIs used in the integration. |
After you have successfully integrated Microsoft 365 with SaaS Management, the following Microsoft information is available in the Users tab.
|
Users Tab Column |
Description |
||||||
|
UPN |
This User Principal Name (UPN) column is a user filtering option. |
||||||
|
Licenses |
This column filters discovered and assigned Microsoft licenses. |
||||||
|
Activations |
This column lists the names of the on-premises products the user has activated. |
||||||
|
Mail Usage |
This column displays the user’s mailbox storage consumption in MB. |
||||||
|
OneDrive Usage |
This column displays the user’s OneDrive for Business (OD4B) storage consumption in MB. |
||||||
|
Windows |
Is the user using a Windows desktop machine? (Yes or No is displayed.) |
||||||
|
Mac |
Is the user using a Mac device? (Yes or No is displayed.) |
||||||
|
Mobile |
Is the user using a mobile device? (Yes or No is displayed.) |
||||||
|
Web |
Has the user accessed Microsoft 365 applications via a browser? (Yes or No is displayed.) |
||||||
|
onPremisesSync |
The following deployment options are displayed:
|
||||||
|
Days Since Last Activity |
This is the number of days since the user’s last activity. |
||||||
|
Guest |
Is the user a Guest (that is, not a permanent employee such as a contractor)? (Yes or No is displayed.) |
||||||
|
Title |
The job title of the user is provided by Active Directory. |
||||||
|
Country |
This is the geographical location of the user. |
||||||
|
Account Created Date |
This is the date the user’s Microsoft 365 account was created within the Microsoft portal. |
Note the following:
| • | Application Roster data such as Mail Usage, OneDrive Usage, Activations, Windows, Mac, Mobile, and Web is available 3 days after the event(s) occurs. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management for these Users tab columns, which are part of the Application Roster. |
| • | Flexera captures only the last 30 days of data for the following Users tab columns: Activations, Mail Usage, OneDrive Usage, Windows, Mac, Mobile, and Web. |
| • | Due to the current behavior of the Microsoft report API, if users have not activated any applications (MICROSOFT 365 APPS FOR ENTERPRISE, PROJECT ONLINE DESKTOP CLIENT, VISIO DESKTOP APP, and OFFICE MOBILE APPS FOR OFFICE 365) 30 days from the date of the integration setup: |
|
Effects of Not Activating Applications Within 30 Days After Integration Setup |
|
The Activations column will be blank and display - . |
|
The Windows, Mac, Mobile, and Web columns will display No. |
|
For any new activations on day 31, the count will reflect on the Microsoft report API 3 days after the activation and will be retained in the report for the next 30 days. |
| • | Flexera obtains Activations data only when we activate the following Office 365 subscriptions such as MICROSOFT 365 APPS FOR ENTERPRISE, PROJECT ONLINE DESKTOP CLIENT, VISIO DESKTOP APP, and OFFICE MOBILE APPS FOR OFFICE 365 across Windows and Mac machines (For details, refer to the Microsoft documentation section Microsoft 365 Reports in the admin center - Microsoft Office activations). |
| • | Flexera obtains Yes values for the Windows, Mac, Mobile, and Web columns only when users perform activities in the following applications: Outlook, Word, Excel, PowerPoint, OneNote, and Teams (For details, refer to the Microsoft documentation section Microsoft 365 Reports in the admin center - Microsoft 365 Apps usage). |
| 5. | For further information on managing and optimizing your organization’s Microsoft 365 licenses, refer to: |
| • | Auto-Populated Microsoft 365 License Information |
| • | Managing Available Microsoft 365 Licenses |
| • | Viewing the Hybrid Microsoft 365 Position |
| • | Tracking Application Activity by License Type for License Differentiation |
| • | Reclaiming SaaS Licenses. |
Auto-Populated Microsoft 365 License Information
The SaaS Management integration with Microsoft 365 offers a License Information integration task that automatically retrieves every 24 hours the name of the Microsoft 365 plan, license type, and total allowed number of licenses. This auto-populated Microsoft 365 license information provides a more complete view of your Microsoft SaaS entitlements and component usage by displaying:
| • | Assigned entitlements. |
| • | User’s license activity (based on the user’s last login) |
| • | An 11 Services filter in the Microsoft 365 Activity tab, which helps you narrow the focus of your organization’s Microsoft 365 license activity. |
Important:If you enable the License Information integration task, you need to enter and keep up to date the following Licenses Tab information. The License Information integration task does not pull in this information. The SaaS application’s annual spend calculation relies on entered and accurate license effective and ending dates.
| • | Amount |
| • | Currency |
| • | Payment Frequency |
| • | Effective Date |
| • | Ending Date |
To auto-populate Microsoft 365 license information, refer to Auto-Populating SaaS Application License Information. When the License Information integration task is enabled, the License type, Name, and # of Items Allowed fields in the Microsoft 365 Licenses tab are disabled as this information is automatically populated. The active and inactive ingested license data from Microsoft can be compared against the Subscriptions data from the Licenses menu of the Microsoft 365 Admin Center.
Managing Available Microsoft 365 Licenses
Once the License Information integration task for Auto-Populated Microsoft 365 License Information is enabled, you can add or remove the Microsoft 365 product licenses you wish to manage within SaaS Management. To manage available Microsoft 365 licenses, refer to Managing Available SaaS Application Licenses.
Note:Unselected licenses are not shown in SaaS Management and are filtered out from all calculations. When a Microsoft 365 license is not selected to be managed in SaaS Management, the license will also not appear in IT Asset Management when Viewing the Hybrid Microsoft 365 Position. For further filtering details, refer to What happens when a SaaS application’s license is filtered out?
Viewing the Hybrid Microsoft 365 Position
While Microsoft 365 licenses are assigned and managed in the Cloud, many of the applications and functionality in the Microsoft licensing portal are locally installed on users’ devices. Due to the hybrid nature of Microsoft 365 licenses, it is beneficial to integrate Flexera’s SaaS Management with IT Asset Management in order to manage the Cloud licenses and local installations.
In SaaS Management, at the top of the Microsoft 365 Overview tab, click the View the hybrid Microsoft 365 position link to open Flexera’s IT Asset Management License Summary page. This page is automatically filtered to Publisher name is Microsoft. Together, Flexera’s SaaS Management and IT Asset Management applications provide a complete view of your organization’s Microsoft online and traditional desktop usage.
When SaaS purchase order data is synchronized with Flexera’s IT Asset Management to display the hybrid Microsoft position, you only need to manage your Microsoft purchases in Flexera’s SaaS Management. You may wish to include the additional SaaS purchase order details in IT Asset Management. However, these IT Asset Management purchases for Microsoft will not impact a SaaS Management-created Microsoft Named User license in Flexera’s IT Asset Management.
Best Practice:To avoid confusion and potential license duplication, Flexera recommends that any licenses created in IT Asset Management for Project / Visio / Dynamics 365 be deleted as the new SaaS Management Microsoft 365 integration also creates these licenses with imported entitlement and consumption. For details, refer to Avoiding Duplicate Microsoft 365 Licenses between SaaS Management and IT Asset Management.
Avoiding Duplicate Microsoft 365 Licenses between SaaS Management and IT Asset Management
To synchronize existing Microsoft 365 licenses between Flexera’s SaaS Management and IT Asset Management All Licenses page, which feeds to the License Summary page, ensure the Flexera SaaS Manager integration is enabled in the IT Asset Management Integrations tab. For details, refer to the IT Asset Management Settings: Integrations Tab section of the IT Asset Management documentation.
Complete the steps below to avoid duplicating Microsoft 365 licenses between Flexera’s SaaS Management and IT Asset Management.
To remove Microsoft 365 licenses created in SaaS Management (and integrated with IT Asset Management) from IT Asset Management:
| 1. | In SaaS Management: |
| a. | Disable the existing separate Office 365, Power BI, Project, Visio, or Dynamics 365 integrations to delete the license information. To disable the integration, navigate to the SaaS menu and click Managed SaaS Applications. The Managed SaaS Applications screen appears. |
| b. | On the Managed SaaS Applications screen, select the appropriate application’s instance link. The instance’s Overview tab opens by default. |
| c. | On the upper-right side of the Overview tab, click the Application Details link to open the Application Details window. In the Application Details window, click Deactivate. |
| 2. | In IT Asset Management: |
| a. | Ensure the Flexera SaaS Manager integration is enabled in the IT Asset Management Integrations tab. For details, refer to the IT Asset Management Settings: Integrations Tab section of the IT Asset Management documentation. The Import Inventory job is executed overnight. |
| b. | After the Import Inventory job is executed the next day, delete the Microsoft licenses now marked as “Retired” in IT Asset Management. |
Note:Any purchases managed in IT Asset Management and associated to the now retired/deleted licenses will return an “Unprocessed purchase” response.
| c. | After the Import Inventory job is executed in IT Asset Management the next day, the Flexera SaaS Manager integration creates all the Microsoft 365 licenses with purchase counts and consumption counts. |
Note:Because the Microsoft purchase counts come from SaaS Management, any IT Asset Management purchases linked to the Microsoft license will not be reflected against the IT Management license totals for Microsoft Named User licenses (created from the SaaS Management integration) in the IT Asset Management All Licenses or License Summary page.
| 3. | In SaaS Management, set up the Microsoft 365 integration per Integrating Microsoft 365 with SaaS Management. |
Application Roster
https://graph.microsoft.com/beta/users
https://graph.microsoft.com/v1.0/subscribedSkus
https://graph.microsoft.com/beta/reports/getOffice365ActivationsUserDetail
https://graph.microsoft.com/beta/reports/getM365AppUserDetail
https://graph.microsoft.com/beta/reports/getOneDriveUsageAccountDetail
https://graph.microsoft.com/beta/reports/getMailboxUsageDetail
Application Access
https://graph.microsoft.com/beta/reports/getOffice365ActiveUserDetail
https://graph.microsoft.com/beta/reports/getEmailActivityUserDetail
https://graph.microsoft.com/v1.0/auditLogs/signIns
License Information
https://graph.microsoft.com/v1.0/subscribedSkus
Reclamation
https://graph.microsoft.com/v1.0/users{id | userPrincipalName}/assignLicense