Office 365
Best Practice:
Office 365 is a cloud-based service that is designed to help meet your organization's needs for robust security, reliability, and user productivity.
The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.
• | Stored Office 365 Information |
• | Required Minimum Permissions for Office 365 |
• | Office 365 Authentication Method |
• | Required Office 365 Credentials |
• | Office 365 License Types |
• | Data Anonymization for Office 365 |
• | Integrating Office 365 With SaaS Management |
• | Auto-Populated Office 365 License Information |
• | Office 365 API Endpoints |
The following table describes the available integration tasks and stored data within SaaS Management.
Available Integration Tasks |
Information Stored |
|||||||||||||||||||||
Application Roster |
|
|||||||||||||||||||||
Application Access |
Last Activity Date of the following applications:
Note:Application Access data is available 3 days after the event(s) occurs. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management for application access. |
|||||||||||||||||||||
License Differentiation |
See Office 365 License Types and Tracking Application Activity by License Type for License Differentiation. |
|||||||||||||||||||||
License Information |
Note:The SaaS Management License Information integration task retrieves information once every 24 hours. Therefore, the data in the Microsoft Portal may not match the data in SaaS Management. |
|||||||||||||||||||||
Reclamation |
Reclaiming SaaS licenses affects all of the user’s licenses within a SaaS integration. For example, a user has licenses for Office 365 Exchange, Outlook, and Yammer. However, the Software Asset Manager is only managing licenses for Office 365 Exchange and Outlook. Reclamation removes all three (Office 365 Exchange, Outlook, and Yammer) licenses from the user. To reclaim Office 365 SaaS licenses, see Reclaiming SaaS Licenses. |
Note:The information stored is subject to change as enhancements are made to the SaaS application.
Required Minimum Permissions for Office 365
The minimum API required permissions are based on the Required Application Permissions for Office 365 and the Required User Roles for Office 365 .
Required Application Permissions for Office 365
Application Permission |
Description |
Integration Task Name |
Directory.Read.All |
Enables you to read the list of users in your Microsoft account. |
Application Roster License Information |
Reports.Read.All |
Enables you to read the user access event details in your Microsoft account. |
Application Access |
User.ReadWrite.All |
Is required to modify the license assigned to the user. |
Reclamation |
Offline_access |
Enables you to generate the refresh token. |
|
Required User Roles for Office 365
Note:The following SaaS application user roles are not applicable to Flexera One roles.
User Role |
Description |
Application Administrator |
To grant the application permissions, the user must have Application Administrator access. For more information, see Microsoft’s documentation topic, Application Administrator. |
Reports Reader |
This role is required for retrieving the Office 365 activities report details. |
License Administrator |
This role is necessary for user license management in the reclamation task. |
Note:Consider the following:
• | After the Authorization is completed and the integration tasks are executed successfully, the user role can be reduced to the Report Reader role. |
• | After Authorizing, changing the password or revoking the user roles for the user used for authorizing will result in an integration task failure. |
Office 365 Authentication Method
The required authentication method is OAuth 2.0 With Authorize Flow. For more information, see Microsoft’s documentation topic, Microsoft Identity Platform and OAuth 2.0 Authorization Code Flow.
Required Office 365 Credentials
The following credentials are required:
• | Username |
• | Password. |
Note:These credentials are required only for authorizing the application permissions. They are not stored in SaaS Management.
To learn more about the product names and service plan identifiers for Office 365 licenses, see Microsoft’s documentation topic, Product names and service plan identifiers for licensing.
Data Anonymization for Office 365
Data anonymization is the processing technique that removes or modifies identifiable information. After the process is complete, data cannot be associated with a specific user. It helps protect private and sensitive data as well as private activities while maintaining its integrity.
When adding the Office 365 application, it is important to make sure that anonymized users are not imported from Office 365 into SaaS Management. You will need to access reports that provide information about your organization’s use of applications and services.
The following procedure is important as a prerequisite to ensure that anonymized user data is not imported when integrating Office 365 with SaaS Management.
To view reports with anonymized user data:
1. | Sign in to the Microsoft 365 Portal Admin Center. |
2. | In the menu, go to Settings > Org settings and click the Services link at the top. |
3. | Scroll down and click Reports. |
4. | In the window that is displayed, clear the Display concealed user, group, and site names in all reports box. |
5. | Proceed to Integrating Office 365 With SaaS Management. |
Note:Ensure that data anonymization is disabled in your Microsoft account. Otherwise, all activity data will end up in Suspicious SaaS Activities. For more information, see Microsoft’s documentation topic, Microsoft 365 Reports Show Anonymous User Names Instead of Actual User Names. If anonymized user data has been imported after integrating Office 365 with SaaS Management, submit a Flexera Support Case.
Integrating Office 365 With SaaS Management
To integrate Office 3656 with SaaS Management, perform the following steps:
To integrate Office 365 with SaaS Management:
1. | In SaaS Management, add the Office 365 application. For more information, see Adding an Application. |
2. | Click Authorize, which will redirect you to the Microsoft portal. |
3. | In the Microsoft portal, enter your Application Administrator username and password to sign in. |
4. | In the Permissions Requested dialog, click Accept to authorize and provide access to the account for the APIs used in the integration. |
For further information on managing and optimizing your organization’s Office 365 licenses, see:
• | Auto-Populated Office 365 License Information |
• | Tracking Application Activity by License Type for License Differentiation |
• | Reclaiming SaaS Licenses. |
Note:All blocked users will be displayed as normal users in SaaS Management.
Auto-Populated Office 365 License Information
The SaaS Management integration with Office 365 offers a License Information integration task that automatically retrieves every 24 hours the name of the Office 365 plan, license type, and total allowed number of licenses. This auto-populated Office 365 license information provides a more complete view of your Microsoft SaaS entitlements and component usage by displaying:
• | Assigned entitlements. |
• | User’s license activity (based on the user’s last login) for O365 Exchange, O365 OneDrive, O365 SharePoint, O365 Skype, O365 Yammer, O365 Teams, and O365 Outlook. |
• | A 7 Services filter in the Office 365 Activity tab, which helps you narrow the focus of your organization’s Office 365 license activity. |
Important:If you enable the License Information integration task, you need to enter and keep up to date the following Licenses Tab information. The License Information integration task does not pull in this information. The SaaS application’s annual spend calculation relies on entered and accurate license effective and expiration dates.
• | Effective Date |
• | Expiration Date |
• | Cost |
• | Currency |
• | Payment Frequency |
To auto-populate Office 365 license information, see Auto-Populating SaaS Application License Information. When the License Information integration task is enabled, the License type, Name, and Provisioned fields in the Office 365 Licenses tab are disabled as this information is automatically populated. The active and inactive ingested license data from Microsoft can be compared against the Subscriptions data from the Licenses menu of the Microsoft 365 Admin Center.
Application Roster
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/subscribedSkus
Application Access
https://graph.microsoft.com/beta/reports/getOffice365ActiveUserDetail
https://graph.microsoft.com/beta/reports/getEmailActivityUserDetail
License Information
https://graph.microsoft.com/v1.0/subscribedSkus
Reclamation
https://graph.microsoft.com/v1.0/users{id | userPrincipalName}/assignLicense
https://graph.microsoft.com/v1.0/subscribedSkus