Microsoft Office

Microsoft 365 is a web-based version of Microsoft's Office suite of productivity applications (Word, Excel, PowerPoint, and others).

Pricing Pricing is based on number of users and features

Integration Information

Data Collected

  • Members: email, name, role (license / products used), last seen
  • Usage:
    • number of used and purchased licenses for different products.

Connection details

  • Status: General Availability
  • Type: api
  • Permissions required:
    * User with access to Azure Active Directory and ability to grant required permissions: (Delegated.Reports.ReadAll Delegated.User.Read.All Delegated.SecurityEvents.Read.All Application.Reports.Read.All Application.User.Read.All Application.SecurityEvents.Read.All) Anonymization turned off - optional.

Instructions for connecting with client secret

Register new application

  1. Sign in to the Azure portal (https://portal.azure.com/) with an Azure administrator account that is also a member of the Global Administrator directory role in your Azure AD tenant.
  2. On the left navigation pane, click Azure Active Directory.
  3. In the Azure Active Directory page, click App registrations.
  4. On the App registrations page, in the toolbar on the top, click New registration.
  5. On the Register an application page, perform the following steps:
    a. In the Name textbox, type LeanIX SMP.
    b. Under Supported account types select Accounts in this organizational directory only.
    c. In the Redirect URI section select Web, and enter https://si-oauth.leanix.net/oauth_cb/msoffice365 in the textbox.
    d. Click Register at the bottom of the screen.

Grant permissions

  1. After the LeanIX SMP application is registered, you will be redirected to the overview section of the created application.
  2. Next click on API permissions to define a list of permissions for the application.
  3. On the API permissions page click Add a permission button.
  4. New configuration pane Request API permissions will display on the right, and select the Microsoft Graph API.
  5. In the next step you will have to define which type of permissions the LeanIX SMP application requires.
  6. Select the Delegated permissions option, and in the search text field type: reports. In the Reports section check permission Reports.Read.All
  7. Similarly add permissions User.Read.All and SecurityEvents.Read.All (optional).
    a. User.Read.All permission is needed for obtaining information about assigned licences to the user.
    b. SecurityEvents.Read.All is needed for obtaining information about overall security performance through time of a company.
  8. Next, select the Application permissions option, search for reports, and in the Reports section check permission Reports.Read.All
  9. Similarly add permissions User.Read.All and SecurityEvents.Read.All (optional)
  10. Click on the Add permissions button at the bottom to assign permission to the LeanIX SMP application.
  11. Click on the Grant admin consent button to enable configured permissions for the application.
  12. Next, click Yes to grant consent for the requested permissions.
  13. The permission status indicator in the API permissions page will change to approved.

Gather configuration settings

  1. Return back to application overview section from where you will need to grab the following identifiers. You need these values when granting LeanIX SMP access to your Microsoft Office 365:
    • Directory ID (also named Tenant ID)
    • Client ID (also named Application ID)
  2. Next, navigate to Certificates & secrets to generate a client secret, also referred to as the application password. Click on New client secret button to create a new password.
  3. Please select the expiration length of the password. Once the expiration date of the created client secret will be reached, you will have to create a new one and reconnect the service in LeanIX SMP. The description field is optional. Important note: Please make a note of the client secret as soon as it is revealed. It will be masked when you navigate away from the Certificates & secrets panel.

Configure Microsoft Office 365 Integration in LeanIX SMP

  1. Log in to the LeanIX SMP. Click on Add a service > Microsoft Office 365 and click Add and then click on link Settings (https://us-si.leanix.net/#/service/MicrosoftOffice365/settings/ or https://eu-si.leanix.net/#/service/MicrosoftOffice365/settings/).
  2. Click on Integrate button and fill out the form with appropriate credentials:
  3. Enter Directory ID, Client ID and Client Secret.

Disable reporting anonymization of users

  1. Login to the Microsoft 365 admin center in https://admin.microsoft.com
  2. Navigate to the Settings > Org settings > Reports
  3. Make sure that the following option is unchecked: In all reports, display de-identified names for users, groups, and sites

Instructions for connecting with certificate

Register new application

  1. Sign in to the Azure portal (https://portal.azure.com/) with an Azure administrator account that is also a member of the Global Administrator directory role in your Azure AD tenant.
  2. On the left navigation pane, click Azure Active Directory.
  3. In the Azure Active Directory page, click App registrations.
  4. On the App registrations page, in the toolbar on the top, click New registration.
  5. On the Register an application page, perform the following steps:
    a. In the Name textbox, type LeanIX SMP.
    b. Under Supported account types select Accounts in this organizational directory only.
    c. Click Register at the bottom of the screen.

Grant permissions

  1. After the LeanIX SMP application is registered, you will be redirected to the overview section of the created application.
  2. Next click on API permissions to define a list of permissions for the application.
  3. On the API permissions page click Add a permission button.
  4. New configuration pane Request API permissions will display on the right, and select the Microsoft Graph API.
  5. In the next step you will have to define which type of permissions the LeanIX SMP application requires. Please select Application permissions
  6. Select the Delegated permissions option, and in the search text field type: reports. In the Reports section check permission Reports.Read.All
  7. Next, select the Application permissions option, search for reports, and in the Reports section check permission Reports.Read.All:
  8. Click on the Add permissions button at the bottom to assign permission to the LeanIX SMP application.
  9. Click on the Grant admin consent button to enable configured permissions for the application.
  10. Next, click Yes to grant consent for the requested permissions.
  11. The permission status indicator in the API permissions page will change to approved.

Gather configuration settings

  1. Return back to application overview section from where you will need to grab the following identifiers. You need these values when granting LeanIX SMP access to your Microsoft Office 365:
    • Directory ID (also named Tenant ID)
    • Client ID (also named Application ID)
  2. Next, navigate to Certificates & secrets to setup certificate for authorization. Click on Upload certificate to select and upload certificate (also referred to as public key) you received from LeanIX SMP. If you don’t have certificate, please contact [email protected]

​Configure Microsoft Office 365 Integration in LeanIX SMP

  1. Log in to the LeanIX SMP. Click on Add a service > Microsoft Office 365 and click Add and then click on link Settings (https://us-si.leanix.net/#/service/MicrosoftOffice365/settings/ or https://eu-si.leanix.net/#/service/MicrosoftOffice365/settings/).
  2. Click on Integrate button and fill out the form with appropriate credentials:
  3. Enter Directory ID, Client ID and content of your certificate.

Disable reporting anonymization of users

  1. Login to the Microsoft 365 admin center in https://admin.microsoft.com
  2. Navigate to the Settings > Org settings > Reports
  3. Make sure that the following option is unchecked: In all reports, display de-identified names for users, groups, and sites

Frequently asked question

  1. Why do Microsoft users data appears as random characters?
    The data anonymization has not been turned off - which is the last step in the instructions. You can turn it off by going to the Admin > Settings > Org settings > Reports and uncheck the following option: In all reports, display de-identified names for users, groups, and sites.

Did this page help you?