Liongard Roar

Roar Users Guide & Documentation

Welcome! You'll find comprehensive guides and documentation to help MSPs start working with Liongard's Roar as quickly as possible, as well as support if you get stuck. Let's go #MakeITRoar!

Get Started    

Office 365 v2.0

This document provides the steps required to create an Azure AD application which can then be used by Roar to inspect your Office 365 accounts.

Quick Details

Typically Runs From: Managed Linux Cloud Agent
Is Auto-Discovered By: n/a
Can Auto-Discover: Office 365 CSP Child Inspectors

Setup Overview

Why a new Office 365 inspector?

If you're upgrading from our old Office 365 inspector, check out these other resources as well:

If you just getting started setting up your Office 365 inspectors, then follow the instructions below. The basic process is:

  1. Setup the Azure Application that the Roar inspector will use. You will do this in the tenant that you use for your Microsoft CSP if you have one, or under your MSP's own Office 365 tenant if not.
  2. If you are a Microsoft CSP, you will authorize that application to read from all of your customers' tenants using the steps below and by setting up a "parent inspector" that will auto-discover all of your associated CSP tenants as "child inspectors" and be implicitly allowed to read data from those tenants.
  3. If you are not a Microsoft CSP, or if only part of your customer base is tied to your CSP account, then you will setup individual Roar Office 365 inspectors for those tenants. You will use the same Application ID and Application Secret that you generated when you setup the Azure Application in step (1), but you will use the individual Tenant ID of the tenants you are targeting for inspection. You will need to authorize the Azure Application for each tenant by clicking a link that will appear in the Inspector's Status Details column on the Office 365 inspector admin page in Roar.

If you are migrating from v1.0 of Roar's Office 365 inspector, we largely automate that migration process - see the documentation for the migration process!

Setup Process

Create an Azure AD Application for the Roar Inspector

Only One Azure Application in Active Directory Applications

Regardless of whether you have a CSP account or not, you only need to create one application in your company's Microsoft account.

That single application will be registered with Microsoft and be able to inspect other O365 tenants once the correct permissions have been granted to it.

Roar requires a single Azure AD application which has multi-tenant capabilities and has been provided admin consent.

  • Login into your Azure account (e.g., portal.azure.com).
  • On the lefthand navigation menu, select Azure Active Directory.
  • In the slide out panel, select App registrations (preview).
  • Select the New Registration button.
  • Enter the name for your application in the form: Roar Office 365 Inspector.
  • Under Supported account types select Accounts in any organizational directory.
  • Under Redirect URI (optional) select Web and enter https://liongard.com.
  • Click the Register button at the bottom of the page.
  • In the slide-out panel that appears select Certificates and secrets.
  • Under Client secrets select the New client secret button.
  • In the top panel that appears, fill in the Description and set the value for Expires to Never.
  • Click the Add button.
  • A row will appear in the Secrets table - make sure to copy the secret. It will not be available once you navigate away from this page.

Secret Storage

This Secret value is sensitive and can facilitate access into your customers' Office 365 instances. If you choose to store this value after completing these steps, store it securely as you would a highly credentialed password.

  • In the slide-out panel that appears, select API permissions
  • Under API permissions, click the Add a permission button.
  • Click on Microsoft Graph under Select an API

Application Permissions vs. Delegated Permissions

It is important that you select all the permissions below from the "Application Permissions" section and not the "Delegated Permissions" section. Choosing permissions from the "Delegated" section may prevent the inspector from working correctly.

  • On the next screen, click on Application permissions.
  • Select the following permissions:
    • AccessReview.Read.All
    • AuditLog.Read.All
    • Contacts.Read
    • Directory.Read.All
    • EduAdministration.Read.All
    • Group.Read.All
    • IdentityRiskEvent.Read.All
    • IdentityRiskyUser.Read.All
    • MailboxSettings.Read
    • Member.Read.Hidden
    • ProgramControl.Read.All
    • Reports.Read.All
    • SecurityEvents.Read.All
    • Sites.Read.All
    • User.Read.All
    • Click on the Add permissions button at the bottom of the screen.
    • Next under the Grant consent section click on the Grant admin consent for ___ button.
  • In the slide-out panel that appears, select Overview.
  • Copy down your Application (client) ID and your Directory (tenant) ID. You will need these to setup the new inspector(s) in Roar and may need them in the future to setup new tenants so we recommend securely documenting these values.

You will need the Application ID and Secret, plus the Tenant ID, in order to setup your Roar inspectors now and potentially in the future. We recommend securely documenting those values.

Pre-Consent for All CSP Customers

CSP Account

If you are not using a CSP account, then you should skip this section.

Completing the following steps in your Microsoft CSP account (i.e., the tenant to which your customers are contractually tied) should grant the Roar inspector access to all associated tenants now and automatically in the future when new tenants are added.

To pre-consent the application permissions for all of your customers with the permissions configured above and enable permissions for all child inspectors, please use the script below.

When the line "Connect-AzureAd" runs, it will prompt for your Microsoft Credentials. Please log in as an admin for your CSP account. After logging in, the script will be able to authorize the application for your customers.

This will also automatically allow consent for all future customers without needing to re-run these commands.

# Run this full script as-is in Powershell. It will prompt for input as-needed.
$moduleCheck = Get-Module -ListAvailable | Where { $_.Name -eq 'AzureAD' }
Try {
   If (!$moduleCheck) {
       Write-Warning "The AzureAD module is not installed, prompting to install..."
       $resp = Read-Host "If you would like to install AzureAD module, please type 'install'"
       if (($resp -ne "install") -And ($resp -ne "'install'")) {
        Write-Host "Input other than 'install' confirmation. Exiting.."
        return
       }
       Install-Module AzureAD -Confirm:$False
   } Else {
       Write-Output "Verified AzureAD Module is installed"
   }
} Catch {
   Write-Warning "There was an issue installing the AzureAD module, please retry, and/or reach out to Roar if you need further assistance!"
}

$appId = Read-Host "Please paste your Roar Application ID"

Connect-AzureAd
$group = Get-AzureADGroup -Filter "displayName eq 'Adminagents'"
$sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $sp.ObjectId

Successfully Pre-Consenting Tomorrow's Customers

If the commands above succeed without error and today's child inspectors run correctly, then your future customers do not need to go through any future authorization steps as the app is authorized by group. Future customers will simply need the inspector auto-discovered by Roar to be activated from the Roar interface.

Inspecting Non-CSP Tenants

To inspect Office 365 tenants that are not associated with a CSP account:

  • Create a new inspector via Admin > Inspectors > Office 365 > Add System.
  • Use the same Azure Application ID and Application Secret that you created above. The same ID and Secret can be used for many Office 365 inspectors.
  • Enter the Tenant ID of the tenant that you are inspecting.
  • Save the new inspector, which will show up under the Parent Inspectors section of the Office 365 inspector admin page.
  • Run the new inspector.
  • After that inspector completes, check the Status Details column of that new inspector launchpoint for a URL that you will need to load in order to authorize the Azure Application into that tenant. Follow the authentication workflow that follows to complete the authorization.
  • Re-run the new inspector, which should now land data about that tenant.

Configure the Roar Inspector

Parent Inspector

This will setup an Office 365 parent inspector, which will auto-discover child inspectors for your customers' tenants provided they have a contractual relationship to your parent tenant.

Once you have followed the steps above, you are ready to configure the Office 365 Graph inspector inside of Roar.

  • Navigate to Admin > Inspectors in your Roar instance and click Add System for the Office 365 inspector.
  • Complete the setup form as follows:
    • Environment: The customer Environment to associate with this Office 365 Account
    • Friendly Name: Name of the Office 365 implementation (e.g., "Office 365 - My MSP")
    • Agent: Select the Linux Cloud Agent
    • Tenant ID: The directory ID of your primary account gathered above.
    • Client ID: The ID of the application gathered above.
    • Client Secret: The secret for the application you generated above.
    • Schedule: Leave as defaults in most cases, or customize the frequency and start and end times for the inspector.
    • Inspector Version: Latest

Office 365 v2.0


This document provides the steps required to create an Azure AD application which can then be used by Roar to inspect your Office 365 accounts.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.