Registering an App to Connect to Microsoft 365 Using the Azure Portal

IT Asset Management (Cloud)
Important: The instructions in this section are for use with the Microsoft 365 connector. This is the recommended connector to use to create a connection to Microsoft Office 365 on an inventory beacon. If you would like instructions for using the legacy Microsoft Office 365 (deprecated) connector, see Creating Connections using the Microsoft Office 365 (Deprecated) Connector.

An alternative method to the instructions provided in Using IT Asset Management’s Multi-Tenant App to Connect to Microsoft 365 is to register a single-tenant app in the Azure portal to connect to Microsoft 365 as shown in the steps in this section. This requires Global Administrator privileges for the initial registration. Using this process, it is possible to specify a client secret (under OAuth) to be used for regular operation of the connector, so that a separate user name and password are not required for operational use.

To register an app in the Azure portal to connect to Microsoft 365:

  1. With an Azure account with Global Administrator privileges, login to the Microsoft Azure portal.
  2. In the left navigation bar, click Azure Active Directory.
  3. Click App registrations.
  4. Click the New registration button.
    The Register an application page appears.
  5. In the Register an application page, do the following:
    1. In the Name field, enter FlexNet Beacon.
    2. In the Supported account types section, choose Accounts in this organizational directory only.
    3. Click Register.

      The Azure AD application is created, and its FlexNet Beacon overview page appears.

  6. On the FlexNet Beacon page, click Authentication in the middle group of the navigation bar and do the following:
    1. In the Redirect URIs section, either:
      • Choose the redirect you would like to use, such as https://login.microsoftonline.com/common/oauth2/nativeclient; or
      • Click Add URI to expose a field where you may enter your preferred value, and then click the check mark at the end of that field.
    2. Click Save at the top of the page.
      After a period of time, the registration completes, and the FlexNet Beacon overview page is displayed.
  7. If you wish to use a client secret to authenticate normal operations of the Microsoft 365 connector, add a client secret for the FlexNet Beacon add-in:
    1. In the navigation bar, select Certificates & secrets.
    2. In the Client secrets section of the page, click New client secret.
      A new Add a client secret panel appears.
    3. Add a Description, which acts as a friendly name for your client secret.
    4. Choose how long your client secret should remain valid (between 6 months and two years).
      Choose a period that best suits your business processes. Shortly before the client secret expires, you need to generate a new client secret and update your add-in.
    5. Click Add at the bottom of the panel.
      Your new secret appears temporarily in the list of Client secrets.
      Important: You must immediately use the copy icon on the right of your new client secret value to capture the client secret and save it to a secure location where you can refer to it later, as it will not be shown in the Azure Partner Center again. Also record the Expires date, so you know the period of validity of your client secret (best practice is to set a reminder in your preferred enterprise technology calendar system to update the client secret shortly before it expires, as described in https://docs.microsoft.com/en-us/office/dev/store/create-or-update-client-ids-and-secrets#bk_update).
    6. Only after you have safely copied your new client secret, select API permissions in the navigation bar, and then click Add a permission > Microsoft graph > Application permissions.
      These permissions are required for the connector to authenticate as itself, without user interaction.
    7. Under Select permissions:
      1. Expand Directory, and select Directory.Read.All.
      2. Expand Reports, and select Reports.Read.All.
      Tip: These permissions require admin consent, described next. The required button is only enabled when you are an administrator and have selected the permissions as just described.
    8. Above the set of permissions, click Grant admin consent for client-name. In the confirmation dialog that appears, confirm the consent action.
      The Status column in the list of permissions is updated with green check icons and Granted for client-name against each permission. This completes the settings in the Azure portal, and you can prepare to copy values into your inventory beacon interface.
    9. In the navigation bar select Overview again, and from the tabs across the top, select Endpoints.
      Keep this panel open for copying values to your inventory beacon interface in step 12.
  8. On the inventory beacon that will exercise the connection to Microsoft 365, log into the inventory beacon interface as an administrator (for example, in the Windows Start menu, search for FlexNet Beacon, right-click it, and select Run as administrator).
    Remember: You must run the inventory beacon software with administrator privileges.
  9. To create a new connection, click the down arrow on the right of the New split button, and choose PowerShell.
  10. Complete the following required fields:
    • Connection Name: Enter the name of the inventory connection. The name may contain alphanumeric characters, underscores or spaces, but must start with either a letter or a number. When the data import through this connection is executed, the data import task name is same as the connection name. Example:
      Microsoft 365 import
    • Source Type: Select Microsoft 365 from this list.
  11. Optionally, if your enterprise uses a proxy server to enable Internet access, complete the values in the Proxy Settings section of the dialog box in order to configure the proxy server connection:
    • Use Proxy: Select this check box if your enterprise uses a proxy server to enable Internet access. Complete the additional fields in the Proxy Settings section, as needed. If the Use Proxy check box is not selected, the remaining fields in the Proxy Settings section are disabled.
    • Proxy Server: Enter the address of the proxy server using HTTP, HTTPS, or an IP address. Use the format https://ProxyServerURL:PortNumber, http://ProxyServerURL:PortNumber, or IPAddress:PortNumber). This field is enabled when the Use Proxy check box is selected.
    • Username and Password: If your enterprise is using an authenticated proxy, specify the username and password of an account that has credentials to access the proxy server that is specified in the Proxy Server field. These fields are enabled when the Use Proxy check box is selected.
  12. Complete the fields in the Microsoft 365 section:
    The source contents for most fields in this section are waiting in your Azure session, opened to the FlexNet Beacon product overview page.
    1. In the Azure product overview, ensure that you have clicked the Endpoints tab (near the top), and have open the panel listing multiple endpoints.
      1. Click the Click to copy icon to the right of the OAuth 2.0 token endpoint (v2) field.
      2. Paste this value into the Token Endpoint field in the inventory beacon interface.
    2. In Azure, in the Overview page:
      1. Click the Click to copy icon to the right of the Application (client) ID field.
      2. Paste this value into the Application (client) ID field in the inventory beacon interface.
    3. In Azure, in the Overview page, click the hyperlink in the Redirect URIs section. This opens the Authentication page.
      1. Click the Click to copy icon to the right of theRedirect URIs setting you selected; or if you specified a custom URI, copy that URI.
      2. Paste this value into the Redirect URI field in the inventory beacon interface.
    4. In the inventory beacon interface, from the Authentication Flow drop-down, choose either:
      • Client Credentials if you are using a client secret to authenticate connection to Microsoft 365. A Client Secret field appears: copy your client secret from the secure location where you previously saved it, and paste it into this field.
      • Authorization Code if you are not using a client secret, and instead are using a refresh token to authenticate connection to Microsoft 365. An Authorization Endpoint field appears.
        1. In Azure, in the Overview page, click Endpoints again.
        2. Click the Click to copy icon to the right of the OAuth 2.0 authorization endpoint (v2) field.
        3. Paste this value into the Authorization Endpoint field in the inventory beacon interface.
        4. To generate a Refresh Token to authenticate the connection to Microsoft 365, click the Generate... button.
        5. In the pop-up, log into Azure with your account name and password.
        6. In Azure, in the panel for Permissions requested, select Consent on behalf of your organization, and click Accept.
        7. Optionally, validate your settings in Azure by navigating to API permissions, where your Configured permissions list should display green "Granted" check marks for all four rights under Microsoft Graph.
  13. At the bottom of the FlexNet Beacon interface, click Test connection for a success message (or use the error message to commence your trouble-shooting).
  14. When the connection is successful, click Save.
    Tip: Optionally, you may wish to select your connection, and click Execute Now, before you exit. You may also want to schedule data imports through this connection, for which see ../../../tasks/FIB-SchedulingConnection.html.
  15. When you are done, click Exit.
After a successful data import, the users, applications, licenses, and usage data are all visible in the appropriate pages of IT Asset Management.
Note: To know more about the operations available on the Inventory Systems page of FlexNet Beacon, see ../../../tasks/../topics/InventorySystemsPage.html. For more about scheduling data imports, see ../../../tasks/FIB-SchedulingConnection.html.

IT Asset Management (Cloud)

Current