Microsoft 365

👍

Quick Details

Recommended Agent: On-Demand
Supported Agents: On-Demand or Self-Managed
Is Auto-Discovered By: N/A
Can Auto-Discover: Child Inspectors (Delegated Access), Internet Domains
Parent/Child Type Inspector: Yes
Inspection via: API
Data Summary: Microsoft 365

Overview

The Microsoft 365 Inspector inspects the suite of Microsoft Cloud Service products within a dedicated customer tenant, including Microsoft 365, Azure Active Directory, Teams, Sharepoint, and One Drive.

❗️

Microsoft Azure Inspector

The Microsoft Azure Inspector pulls data for Azure infrastructure services. For example, virtual machines, virtual networks, etc. If you are looking to deploy that inspector, please reference our documentation here.

📘

GCC High Inspector Support

"GCC High" stands for Microsoft 365 Government Community Cloud High - Microsoft 365 GCC High is the cloud platform developed by Microsoft for cleared personnel and organizations supporting the Department of Defense. GCC High is hosted in Microsoft servers across the United States in order to meet strict compliance requirements for small to medium-sized contractors as they control the flow of Controlled Unclassified Information (CUI).

At this time, Liongard is not able to support Inspections for Microsoft 365 tenants hosted in GCCH.

Deployment

Inspector Setup Preparation

Liongard Microsoft 365 Inspector is set up using an Azure Active Directory enterprise application, and configured in a similar manner.

Depending on the relationship to the tenant(s) that you manage, your configuration steps will be different. Microsoft Cloud Service Inspectors in Liongard will fall under one of two categories: Multi-Tenant or Single-Tenant configurations.

SetupDescription
Multi-TenantI have a Microsoft account I use to manage my customer relationships via the Microsoft Partner Center.
Single-TenantI have a Microsoft account that I access directly to manage my customer on their behalf. I do not manage this customer in the Microsoft Partner Center

To set up all Microsoft Cloud Services Inspectors, click on the following guide according to your tenant relationship:

Liongard Multi-Tenant Setup

🚧

Prerequisites

Before you can update your Microsoft 365 Inspector in Liongard, ensure that you have successfully transitioned your customers' tenant to GDAP. In order to proceed, please note that you will need to login to your Microsoft Partner Center with a user that is assigned the Admin Agents role.

In order to validate that your Child Inspectors are ready for Liongard's update, within the Microsoft Partner Center ensure that your customers' GDAP relationship has the Cloud application administrator, Directory writers, Global reader, Security Reader, Teams Administrator, and Reports reader Azure AD roles applied in addition to the AdminAgents security group assigned with the 5 Azure AD roles for that admin relationship, as shown below.

For more information, please watch this video for a detailed walkthrough of this process or visit Microsoft's documentation.

Step 1: Obtain your Azure Active Directory Tenant ID

  • Log in to your Azure account (i.e. portal.azure.com)
  • On the left-hand menu select Azure Active Directory
  • On the next screen, make sure you have the Overview tab selected and locate the Tenant ID displayed.
  • Copy the Tenant ID

Step 2: Parent Inspector Setup: Multi-Tenant

The Microsoft 365 Inspector can function as a “Multi-Tenant” inspector by utilizing the existing relationship established through Microsoft’s Partner Portal to manage many environments.

You will configure a Microsoft Parent Inspector for the associated Microsoft account that you use to manage your tenant(s) and to access the Microsoft Partner Center.

Those customers you've configured for GDAP relationships will be Auto-Discovered as Child Inspectors after the successful run of the Parent Inspector. Upon those discoveries, map the Child Inspectors to the correct Liongard Environment and activate them.

In Liongard, navigate to Admin > Inspectors > Inspector Types > Navigate to the Appropriate Microsoft Inspector > Add System.

Fill in the following information:

  • Type of Inspector: Parent
  • Environment: Select your MSP's Environment
  • Friendly Name: Suggested Naming: [MSP Name] [Inspector Name] Parent
  • Agent: Select On-Demand Agent
  • Inspector Version: Latest
  • Enable Multi-Tenant Application: Toggle On
  • Azure Directory (Tenant) ID: Paste in your Azure Tenant ID copied in Step 2
    • Select the "Open Microsoft Sign-In" button
    • Authenticate by signing into the organization for the associated Tenant ID with an account that is assigned the Cloud Application Administrator, Global Reader, Reports Reader, Teams Administrator, Security Reader, and Directory Writer roles for Azure AD as well the assigned to the Admin Agents group within the Partner Center.
    • Follow the prompts to accept the requested permissions by selecting the checkbox to consent and selecting Accept
    • A green check will appear to validate that you successfully completed the step.
    • ❗️Note❗️Signing in with a user that has legacy MFA methods will result in Child Inspectors not being discovered. Please see this KB for more details.
  • Include User Purpose: (Microsoft 365 Only) Enable this option to include the "mailboxRecipientType" value for each user
  • Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule
  • Select Save. The Inspector will now be triggered to run within the minute.

🚧

Microsoft Sign-In

When you are setting up the additional Microsoft Parent Inspectors, you need to follow the Open Microsoft Sign-In steps and log in using the same account. Once you have logged in and accepted the permissions consent for the account, you will not be prompted to accept it again when signing in to the other Parent Inspectors.

Step 3: Child Inspector Setup

After the first run of the Parent Inspector, your client Microsoft Cloud Services organizations will be auto-discovered in the Discovered Systems tab on the Inspectors > Appropriate Microsoft Inspector page.

Navigate to the Discovered Systems tab in your Inspectors > Appropriate Microsoft Inspector page

  • Activate or Archive your Discovered Systems by ensuring that they're mapped to the correct Environment > Check the checkbox to the left of Inspector(s) > Select the Actions drop-down menu > Activate Launchpoints

Optional: Turn on Flexible Asset/Configuration Auto-Updating

If you would like these Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for these Inspectors:

  • ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
  • IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled

Liongard Single-Tenant Setup

Step 1: Obtain your Customer's Azure Active Directory Tenant ID

  • Log into your customer's Azure Active Directory account (i.e. portal.azure.com)
  • On the left-hand menu select Azure Active Directory
  • On the next screen, make sure you have the Overview tab selected and locate the Tenant ID displayed
  • Copy the Tenant ID

Step 2: Parent Inspector Setup: Single-Tenant

You will configure a Microsoft Parent Inspector for each associated customer's Microsoft account. For those customers you manage as a Single-Tenant, there will be no auto-discovery of Child Inspectors.

In Liongard, navigate to Admin > Inspectors > Inspector Types > Navigate to the Appropriate Microsoft Inspector > Add System.

Fill in the following information:

  • Type of Inspector: Parent
  • Environment: Select your MSP's Environment
  • Friendly Name: Suggested Naming: [MSP Name] [Inspector Name] Parent
  • Agent: Select On-Demand Agent
  • Inspector Version: Latest
  • Enable Multi-Tenant Application: Toggle Off
  • Azure Directory (Tenant) ID: Paste in your Azure Tenant ID copied in Step 2
    • Select the "Open Microsoft Sign-In" button
    • Authenticate by signing into the organization for the associated Tenant ID with an account that is assigned the Cloud Application Administrator, Global Reader, Reports Reader, Teams Administrator, Security Reader, and Directory Writer roles within Azure AD.
    • Follow the prompts to accept the requested permissions by selecting the checkbox to consent and select Accept
    • A green check will appear to validate that you successfully completed the step.
  • Include User Purpose: (Microsoft 365 Only) Enable this option to include the "mailboxRecipientType" value for each user
  • Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule
  • Select Save. The Inspector will now be triggered to run within the minute.

🚧

Microsoft Sign-In

When you are setting up the additional Microsoft Parent Inspectors, you need to follow the Open Microsoft Sign-In steps and log in using the same account. Once you have logged in and accepted the permissions consent for the account, you will not be prompted to accept it again when signing in to the other Parent Inspectors.

Optional: Turn on Flexible Asset/Configuration Auto-Updating

If you would like these Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for these Inspectors:

  • ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
  • IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled

Troubleshooting

Please check the following if you are receiving an error message:

  • Ensure that there is an entry for Liongard in the Enterprise Applications section in the associated Azure Active Directory Tenant

❗️

Incomplete Data Views

If your Inspector is not returning a full set of data on your user accounts, please view our related KB article here.

❗️

SharePoint Flexible Assets/Configuration Auto-Updating

IT Glue Flexible Assets and ConnectWise Configurations are not currently available for the SharePoint inspector.

📘

Enterprise Application Permissions

The table below is provides a list of the permissions activated for the Liongard Enterprise Application within the Azure Active Directory tenant.

Microsoft Graph Permissions
AccessReview.Read.All
AuditLog.Read.All
Channel.ReadBasic.All
ChannelMember.Read.All
ChannelSettings.Read.All
Contacts.Read
DelegatedAdminRelationships.Read.All
Device.Read.All
DeviceManagementApps.Read.All
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.Read.All
DeviceManagementRBAC.Read.All
DeviceManagementServiceConfig.Read.All
Directory.Read.All
EduAdministration.Read.All
Files.Read.All
Group.Read.All
IdentityProvider.Read.All
IdentityRiskEvent.Read.All
IdentityRiskyUser.Read.All
InformationProtectionPolicy.Read.All
MailboxSettings.Read
Member.Read.Hidden
Organization.Read.All
offline_access
Policy.Read.All
PrivilegedAccess.Read.AzureAD
PrivilegedAccess.Read.AzureADGroup
ProgramControl.Read.All
Reports.Read.All
RoleManagement.Read.Directory
SecurityEvents.Read.All
Sites.Read.All
Team.ReadBasic.All
TeamMember.Read.All
TeamsAppInstallation.ReadForTeam.All
TeamsAppInstallation.ReadForUser.All
TeamSettings.Read.All
TeamsTab.Read.All
User.Read
User.Read.All
UserAuthenticationMethod.Read.All
Microsoft Partner Center Permissions
user_impersonation
Office 365 Exchange Online Permissions
Exchange.Manage

Microsoft 365 FAQs
Inspector FAQs