Microsoft Cloud Services Inspectors

The following document is intended to support users as they deploy Microsoft Cloud Services Inspectors (Azure Active Directory, Microsoft 365, Teams. SharePoint, etc.).

👍

Quick Details

Recommended Agent: On-Demand
Supported Agents: On-Demand or Self-Hosted
Is Auto-Discovered By: N/A
Can Auto-Discover: Child Inspectors (Delegated Access), Internet Domains
Parent/Child Type Inspector: Yes
Inspection via: API
Data Summary: Azure Active Directory, Microsoft 365, Microsoft OneDrive, Microsoft SharePoint, Microsoft Teams

❗️

Microsoft Azure Inspector

The Microsoft Azure Inspector pulls data for Azure infrastructure services. For example, virtual machines, virtual networks, etc. If you are looking to deploy that inspector, please reference our documenation here.

Overview

See it in Action

Azure Active Directory

Video isn't playing? Click here.

Microsoft 365

Video isn't playing? Click here.

Microsoft OneDrive

Video isn't playing? Click here.

Microsoft SharePoint

Video isn't playing? Click here.

Microsoft Teams

Video isn't playing? Click here.

Deployment

Liongard Microsoft Cloud Services Inspectors are set up, using an Azure Active Directory application, and configured in a similar manner.

To set up all Microsoft Cloud Services Inspectors, you will complete the following steps:

Once you have set up your Azure Active Directory Application, you should use it across all Inspectors

For each Inspector Type, you will follow the following steps.

Inspector Setup Preparation

Step 1: Determine if you have Delegated Access

The setup steps for the Microsoft 365 Inspector differ based on whether or not you have delegated access to your customer tenants.

If you are not sure if you are set up for delegated access, please review Microsoft's FAQ here.

If you have access to all of your customers' Microsoft tenants through the partner portal using your own credentials, then you are set up for delegated access.

If you must log in to each customer's tenant with a separate set of credentials, then you are set up with non-delegated access.

Please keep this in mind when following our setup instructions below.

Step 2: Create an Azure Active Directory Application

Liongard requires a single Azure Active Directory Application that has multi-tenant capabilities and has been provided admin consent.

  • Log in to your Azure account (i.e.: portal.azure.com)
  • On the lefthand navigation menu, select Azure Active Directory
  • In the slide out panel, select App registrations
  • Select the New Registration button
  • Enter the name for your application in the form: Liongard Microsoft 365 Inspector
  • Under Supported account types select Accounts in any organizational directory
  • Under Redirect URI (optional) select Web and enter https://liongard.com
  • Click the Register button at the bottom of the page
  • In the slide-out panel that appears, select Certificates and secrets
  • Under Client secrets select the New client secret button
    • In the top panel that appears, fill in the Description and select an expiration date. Microsoft recommends 6 months, but your inspectors will fail after the secret expires. Therefore Liongard suggests selecting 24 months to reduce the frequency for regenerating the secret.
  • Click the Add button

A row will appear in the Secrets table. Make sure to copy the Secret Value. It will not be available once you navigate away from this page.

🚧

Secret Storage

This Secret value is sensitive and can facilitate access into the associated Microsoft 365 instances.

If you choose to store this value after completing these steps, store it as securely as you would other highly sensitive data.

  • In the slide-out panel that appears, select API permissions
  • Under API permissions, click the Add a permission button
    • Click on Microsoft Graph under Select an API

❗️

Application Permissions vs. Delegated Permissions

It is important that you select all the permissions below from the "Application Permissions" section and not the "Delegated Permissions" section. Choosing permissions from the "Delegated" section may prevent the Inspector from working correctly.

  • On the next screen, click on Application Permissions.
  • Select the permissions for the Inspectors you intend to deploy based on the table below:

Permissions

Permission

Full Suite

Azure AD

M365

SharePoint

Teams

OneDrive

AccessReview.Read.All

Y

Y

Y

N

N

N

AuditLog.Read.All

Y

Y

Y

N

N

N

Channel.ReadBasic.All

Y

N

N

N

Y

N

ChannelMember.Read.All

Y

N

N

N

Y

N

ChannelSettings.Read.All

Y

N

N

N

Y

N

Contacts.Read

Y

Y

Y

N

N

N

Device.Read.All

Y

Y

N

N

N

N

DeviceManagementApps.Read.All

Y

Y

N

N

N

N

DeviceManagementConfiguration.Read.All

Y

Y

N

N

N

N

DeviceManagementManagedDevices.Read.All

Y

Y

N

N

N

N

DeviceManagementRBAC.Read.All

Y

Y

N

N

N

N

DeviceManagementServiceConfig.Read.All

Y

Y

N

N

N

N

Directory.Read.All

Y

Y

Y

Y

Y

Y

EduAdministration.Read.All

Y

Y

Y

N

N

N

Files.Read.All

Y

N

N

Y

N

Y

Group.Read.All

Y

Y

Y

Y

Y

Y

IdentityProvider.Read.All

Y

Y

N

N

N

N

IdentityRiskEvent.Read.All

Y

Y

Y

N

N

N

IdentityRiskyUser.Read.All

Y

Y

Y

N

N

N

InformationProtectionPolicy.Read.All

Y

Y

N

N

N

N

MailboxSettings.Read

Y

Y

Y

N

N

N

Member.Read.Hidden

Y

Y

Y

N

N

N

Organization.Read.All

Y

N

N

Y

N

N

Policy.Read.All

Y

Y

N

N

N

N

PrivilegedAccess.Read.AzureAD

Y

Y

N

N

N

N

PrivilegedAccess.Read.AzureADGroup

Y

Y

N

N

N

N

ProgramControl.Read.All

Y

Y

Y

N

N

N

Reports.Read.All

Y

Y

Y

N

N

N

RoleManagement.Read.Directory

Y

Y

N

N

N

N

SecurityEvents.Read.All

Y

Y

Y

N

N

N

Sites.Read.All

Y

Y

Y

Y

N

Y

TeamMember.Read.All

Y

N

N

N

Y

N

TeamsAppInstallation.ReadForTeam.All

Y

N

N

N

Y

N

TeamsAppInstallation.ReadForUser.All

Y

N

N

N

Y

N

TeamsApp.Read.All

Y

N

N

N

Y

N

TeamSettings.Read.All

Y

N

N

N

Y

N

TeamsTab.Read.All

Y

N

N

N

Y

N

User.Read.All

Y

Y

Y

Y

Y

Y

  • Click on the Add permissions button at the bottom of the screen.

  • Next under the Grant consent section click on the Grant admin consent for ____ button.

  • Click Accept when prompted about accepting permissions for your organization
  • If Grant Consent worked you should see the following checkboxes turn green
  • In the slide-out panel that appears, select Overview
  • Copy down your Application (client) ID and your Directory (tenant) ID.

📘

Setting Up Liongard Inspectors

You will need the Application ID and Secret plus the Tenant ID in order to set up your Liongard Inspectors now and any in the future. We recommend securely documenting those values.

Step 3: Pre-Consent all of your Delegated Tenants to the Azure Active Directory Application.

❗️

Delegated vs. Non-Delegated

If you do not have Delegated Access this step can be omitted.

To pre-consent the Application permissions for all of your customers with the permissions configured above, please use the scripts below.

These scripts can be run from either a local Windows Server with Azure AD Connect installed through a PowerShell command window or Azure Cloud Shell through PowerShell

Running these scripts will automatically allow consent for all future customers without needing to rerun these commands.

Windows Server with Azure AD Connect

When running the script on a Windows server with AD Connect, the PowerShell terminal running the script will need to be run as an administrator for the installation of any missing modules.

# Run this full script as-is in Powershell. It will prompt for input as-needed.

#checks to see if AzureAD Module is installed, if not installed will proceed to install with prompt for consent to install module (select [A])
$moduleCheck = Get-Module -ListAvailable | Where { $_.Name -eq 'AzureAD' }
Try {
   If (!$moduleCheck) {
       Write-Warning "The AzureAD module is not installed, prompting to install..."
       $resp = Read-Host "If you would like to install AzureAD module, please type 'install'"
       if (($resp -ne "install") -And ($resp -ne "'install'")) {
        Write-Host "Input other than 'install' confirmation. Exiting.."
        return
       }

       Install-Module AzureAD -Confirm:$False
   } Else {
       Write-Output "Verified AzureAD Module is installed"
   }
} Catch {
   Write-Warning "There was an issue installing the AzureAD module, please retry, and/or reach out to Liongard if you need further assistance!"
}

#asks for Application ID from Azure

$appId = Read-Host "Please enter the Azure Application/Client ID you created for Liongard"

#Instructs Microsoft Security Library to utilize TLS 1.2 at minimum

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

#Makes connection to Azure AD Module
Connect-AzureAd
#Looks for AD Group "Adminagents"
$group = Get-AzureADGroup -Filter "displayName eq 'Adminagents'"
#Finds the Service Principal for Liongard application by the Application ID inputed above
$sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
#Adds the Liongard Application Service Principal into the Adminagents group
Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $sp.ObjectId
  1. Enter in "Install" in the prompt to initiate the installation of Azure AD module. This will only appear if the module is not installed.
  2. Type "A" to accept the installation prompt for the module.
  3. Enter in your Liongard Application ID that you created for your Liongard API and hit Enter.
  1. Next, you'll be prompted for your Microsoft login. Proceed through the pop-up and enter in your delegated admin credentials.
  2. Once the script completes, you should see your information displayed with no errors, and the script will take you back to your cursor prompt

Azure Cloud Shell through PowerShell

Since Azure Cloud Shell has the Azure AD module included, there is no need to prompt an install for the module. For this reason, the method uses a shorter script from the one listed above.

#Asks for Application ID from Azure
$appId = Read-Host "Please enter the Azure Application/Client ID you created for Liongard"

#Makes connection to Azure AD Module
Connect-AzureAd
#Looks for AD Group "Adminagents"
$group = Get-AzureADGroup -Filter "displayName eq 'Adminagents'"
#Finds the Service Principal for Liongard application by the Application ID inputed above
$sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
#Adds the Liongard Application Service Principal into the Adminagents group
Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $sp.ObjectId
  1. Copy and paste the script into the Prompt
  2. Enter in your Liongard Application ID
  3. Navigate to the returned link and enter the provided code. Click Next.
  1. Select or login with your delegated admin account
  2. Return to your Cloud Shell after authentication. Hit Enter one last time to process the last command
  3. Once the script completes, you should see your information displayed with no errors, and the script will take you back to your cursor prompt

📘

Clarification for Pre-Consent Script

This script will add the Service Principal associated with the application you created to the Admin Agents group in Azure Active Directory. This will grant the set of API permissions you configured for your application to all customer tenants tied to your delegated partner tenant.

For more information, see Microsoft's article on this subject

Liongard Inspector Setup

For each system you are deploying, you must first set up a Parent Inspector and then activate the Child Inspectors. Repeat these steps for each system you wish to deploy Inspectors.

Step 1: Parent Inspector Setup

Since Microsoft Cloud Services Inspectors as multi-tenant systems where a single portal is used to manage many Environments, you will set up a single "Parent" Inspector with the Azure Application ID that will then auto-discover "Child" Inspectors for each Environment.

In Liongard, navigate to Admin > Inspectors > Navigate to the Appropriate Microsoft Inspector > Add System.

Fill in the following information:

  • Type of Inspector: Parent
  • Environment: Select your MSP's Environment
  • Friendly Name: Suggested Naming: [MSP Name] [Inspector Name] Parent
  • Agent: Select On-Demand Agent
  • Inspector Version: Latest
  • Azure Application (Client) ID: Paste in your Azure Application ID copied in Step 1
  • Azure Directory (Tenant) ID: Paste in your Azure Tenant ID copied in Step 1
  • Azure Application (Client) Secret Value: Paste in your Azure Application Secret Value copied in Step 1
  • Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule

Select Save. The Inspector will now be triggered to run within the minute.

Step 2: Child Inspector Setup

After the first run of the Parent Inspector, your client Microsoft Cloud Services organizations will be auto-discovered in the Discovered Systems tab on the Inspectors > Appropriate Microsoft Inspector page.

Navigate to the Discovered Systems tab in your Inspectors > Appropriate Microsoft Inspector page

  • Activate or Archive your Discovered Systems by ensuring that they're mapped to the correct Environment > Check the checkbox to the left of Inspector(s) > Select the Actions drop down menu > Activate Launchpoints

Optional: Turn on Flexible Asset/Configuration Auto-Updating

If you would like these Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for these Inspectors:

  • ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
  • IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled

❗️

Delegated vs. Non-Delegated

If no Child Inspectors are Auto-Discovered because you do not have delegated access, follow the process below for setting up Child Inspectors for your non-delegated customers.

Set up Child Inspectors for your Non-Delegated Customers

❗️

Delegated vs. Non-Delegated

If you have delegated access to all of your customers, this step can be omitted.

You will need to create Child Inspectors in Liongard for all of your non-delegated customers.
In Liongard, navigate to Admin > Inspectors > Appropriate Microsoft Inspector > Add System:

  • Type of Inspector: Child
  • Parent: Select the Parent you created in Step 1.
  • Environment: Select the Environment name
  • Friendly Name: Suggested Naming: [Inspector Name] [Environment Name]
  • Agent: On-Demand Agent
  • Inspector Version: Latest
  • Azure Tenant ID: Paste in this customer's Azure Tenant ID
    • For more information on how to obtain your customer's Azure Tenant ID, click here

Select Save. The Inspector will now be triggered to run within the minute.

This Child Inspector will automatically run within a minute, and it will be set to run once a day from that point forward.

Repeat this process for all of your Non-Delegated customers.

Consent your Failed Child Inspectors to the Azure Active Directory Application

You will see that the Child Inspectors you previously created failed. This is expected.

In their Status Details, you will find a link. Select the link for each of your failed Child Inspectors in order to consent the Microsoft 365 Tenant to the Azure Application you previously created in Step 1.

Re-Run your Failed Child Inspectors

Once you have authenticated each of your Microsoft 365 tenants to the Azure Application you previously created in Step 1, you can bulk select your Child Inspectors in your Admin > Inspectors > Appropriate Microsoft Inspector screen > Select the Actions drop down menu > Run Inspectors

Optional: Turn on Flexible Asset/Configuration Auto-Updating

If you would like this Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for this Inspector:

  • ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
  • IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled

❗️

SharePoint Flexible Assets/Configuration Auto-Updating

IT Glue Flexible Assets and ConnectWise Configurations are not currently available for the SharePoint inspector.

Troubleshooting

Please check the following if you are receiving an error message:

  • Ensure that the Permissions you've added (e.g. 'user.read.all') line up with the permissions listed above.
  • Ensure that each of the API Permissions you've added to your Azure AD application has been added as Application Permissions and NOT Delegated Permissions

Once you've done so, ensure that admin consent has been granted on behalf of the users in your Azure AD directory using the button at the bottom of the API Permissions page:

Finally, make sure that Supported account types is set to Accounts in any organizational directory under the authentication settings for the application you've created.

If you're still running into issues after running through those steps, please reach out to Liongard Support.


Did this page help you?