Office 365 Client Credentials

Best Practice:Flexera recommends creating the Microsoft 365 Client Credentials integration to view your organization’s Office 365 Client Credentials, Dynamics 365 Client Credentials, Power BI Client Credentials, Project Client Credentials, and Visio Client Credentials license usage data. Any existing Office 365 Client Credentials, Dynamics 365 Client Credentials, Power BI Client Credentials, Project Client Credentials, and Visio Client Credentials integrations in SaaS Management will be superseded by this new Microsoft 365 Client Credentials integration. To deactivate an existing integration, refer to Avoiding Duplicate Microsoft 365 Client Credentials Licenses between SaaS Management and IT Asset Management.

Office 365 is a cloud-based service that is designed to help meet your organization's needs for robust security, reliability, and user productivity.

Important:This Office 365 Client Credentials integration requires the authentication method OAuth2 with client credentials.

Information Stored
Minimum Permissions Required
Authentication Method
Credentials Required
License Types
Obtaining Client Credentials and Tenant ID
Data Anonymization
Integrating Office 365 Client Credentials with SaaS Management
Auto-Populated Office 365 Client Credentials License Information
API Endpoints

Information Stored

The following table describes the available integration tasks and stored data.

Available Integration Tasks

Integration Task

Information Stored

Application Roster

User ID (User Principal Name)
Email
First Name
Last Name
Active Date
Deactivated Date
Assigned Licenses

Application Access

Last Activity Date of the following applications:

Microsoft Exchange Server
Microsoft Teams
OneDrive
Outlook
SharePoint
Skype for Business
Yammer

Note:Application Access data is available 3 days after the event(s) occurs. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management for application access.

License Differentiation

See License Types and Tracking Application Activity by License Type for License Differentiation.

License Information

License Name
License Type
Purchased Quantity

Note:The above license information is retrieved every 24 hours. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management for license information.

Reclamation

Reclaiming SaaS licenses affects all of the user’s licenses within a SaaS integration. For example, a user has licenses for Office 365 Exchange, Outlook, and Yammer. However, the Software Asset Manager is only managing licenses for Office 365 Exchange and Outlook. Reclamation removes all three (Office 365 Exchange, Outlook, and Yammer) licenses from the user.

To reclaim Office 365 Client Credential licenses, refer to Reclaiming SaaS Licenses.

Note:The information stored is subject to change as enhancements are made to the product.

Minimum Permissions Required

Minimum API required permissions are based on the Application Permission and User Role .

Application Permission

Application Permission

Permission

Description

Integration Task Name

Directory.Read.All

To read the list of users in your Microsoft account

Application Roster, License Information

Reports.Read.All

To read the user access event details in your Microsoft account

Application Access

User.ReadWrite.All

This permission is required to modify the license assigned to the user.

Reclamation

User Role

User Role

Role

Description

Global Administrator

To grant the application permissions, the user must have Global Administrator access. For details, refer to the Microsoft documentation Azure AD Built-In Roles.

Authentication Method

OAuth2 with Client Credentials

For more information, see the Microsoft identity platform and the OAuth 2.0 client credentials flow.

Credentials Required

Client ID
Client Secret
Tenant ID

License Types

To learn more about the product names and service plan identifiers for Office 365 licenses, refer to https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference 

Obtaining Client Credentials and Tenant ID

To obtain client credentials and tenant ID, perform the following steps.

To obtain Client Credentials and Tenant ID:

1. Sign in to your Microsoft Azure Portal.
2. In the Search box at the top of the screen, enter App registrations and click App registrations in the search results to select it. The App registrations page opens.
3. Click New Registration. The Register an application page opens.
4. Enter a Name and choose the Accounts in this organizational directory only option.
5. Click Register.
6. On the Overview tab, copy the Application (client) ID and copy the Directory (tenant) ID to a location you can access later. You will need these values in Integrating Office 365 Client Credentials with SaaS Management.
7. To generate a Client secret, do the following:
a. Click the Certificates & secrets tab.
b. Under Client secrets, click New client secret. The Add a client secret dialog box opens.
c. In the Description field, enter a name for the new secret.
d. Under Expires, choose an expiration value.
e. Click Add.
f. Under Client secrets, copy the client secret value. You will need this in Integrating Office 365 Client Credentials with SaaS Management.
8. Click the API permissions tab and complete the following:
a. Click Microsoft Graph. The Request API permissions panel opens.
b. Click Application permissions.

Note:Do not select Delegated permissions. Delegated permissions will not work.

c. In the Select permissions search box, enter Directory and then click the arrow to expand Directory, and select the Directory.Read.All permission check box.
d. In the Select permissions search box, enter Reports and then click the arrow to expand Reports, and select the Reports.Read.All permission check box.
e. Click Update permissions.
9. Once the permissions are added, grant admin consent.
10. Complete Integrating Office 365 Client Credentials with SaaS Management.

Data Anonymization

Data anonymization is the processing technique that removes or modifies identifiable information. Once the process is complete, data cannot be associated with a specific user. It helps protect private and sensitive data as well as private activities while maintaining its integrity.

When adding the Office 365 Client Credentials application, it is important to make sure that anonymized users are not imported from Office 365 Client Credentials into SaaS Management. You will need to access reports that provide information about your organization’s use of applications and services.

The following procedure is important as a prerequisite to ensure that anonymized user data is not imported when integrating Office 365 Client Credentials with SaaS Management.

To view reports with anonymized user data:

1. Sign in to the Microsoft 365 Portal Admin Center.
2. In the menu, go to Settings > Org settings and click the Services link at the top.
3. Scroll down and click Reports.
4. In the window that is displayed, clear the Display concealed user, group, and site names in all reports box.
5. Proceed to Integrating Office 365 Client Credentials with SaaS Management.

Note:Ensure that data anonymization is disabled in your Microsoft account. Otherwise, all activity data will end up in Suspicious SaaS Activities. For more information, see the Microsoft documentation regarding Showing Anonymous User Names. If anonymized user data has been imported after integrating Office 365 with SaaS Management, submit a Support Case.

Integrating Office 365 Client Credentials with SaaS Management

To integrate Office 365 Client Credentials with SaaS Management, perform the following steps.

To integrate Office 365 Client Credentials with SaaS Management:

1. In the Microsoft Azure Portal, enter your Global Administrator username and password to sign in.
2. From your Microsoft account, copy the Client ID, Client Secret, and Tenant ID values.
3. In SaaS Management, add the Office 365 Client Credentials application. Refer to Adding an Application.
4. In the Add Application screen for Office 365 Credentials:
a. Select the Application Roster and Application Access integration tasks check boxes.
b. Paste the values copied into the Client ID, Client Secret, and Tenant ID fields.
c. Click Authorize.

Note:All blocked users will be displayed as normal users in SaaS Management.

5. For further information on managing and optimizing your organization’s Office 365 Client Credentials licenses, refer to:
Auto-Populated Office 365 Client Credentials License Information
Tracking Application Activity by License Type for License Differentiation
Reclaiming SaaS Licenses.

Auto-Populated Office 365 Client Credentials License Information

The SaaS Management integration with Office 365 Client Credentials offers a License Information integration task that automatically retrieves every 24 hours the name of the Office 365 plan, license type, and total allowed number of licenses. This auto-populated Office 365 Client Credentials license information provides a more complete view of your Microsoft SaaS entitlements and component usage by displaying:

Assigned entitlements.
User’s license activity (based on the user’s last login) for O365 Exchange, O365 OneDrive, O365 SharePoint, O365 Skype, O365 Yammer, O365 Teams, and O365 Outlook.
A 7 Services filter in the Office 365 Activity tab, which helps you narrow the focus of your organization’s Office 365 license activity.

Important:If you enable the License Information integration task, you need to enter and keep up to date the following Licenses Tab information. The License Information integration task does not pull in this information. The SaaS application’s annual spend calculation relies on entered and accurate license effective and ending dates.

Amount 
Currency 
Effective Date 
Ending Date 
Payment Frequency 

To auto-populate Office 365 Client Credentials license information, refer to Auto-Populating SaaS Application License Information. When the License Information integration task is enabled, the License type, Name, and # of Items Allowed fields in the Office 365 Client Credentials Licenses tab are disabled as this information is automatically populated. The active and inactive ingested license data from Microsoft can be compared against the Subscriptions data from the Licenses menu of the Microsoft 365 Admin Center.

API Endpoints

Application Roster

https://graph.microsoft.com/v1.0/users

 

https://graph.microsoft.com/v1.0/subscribedSkus

Application Access

https://graph.microsoft.com/beta/reports/getOffice365ActiveUserDetail

 

https://graph.microsoft.com/beta/reports/getEmailActivityUserDetail

License Information:

https://graph.microsoft.com/v1.0/subscribedSkus

Reclamation

https://graph.microsoft.com/v1.0/users{id | userPrincipalName}/assignLicense

 

https://graph.microsoft.com/v1.0/subscribedSkus