Skip to main content

Microsoft 365

Visualize Microsoft 365 services, groups, and users, and monitor changes through queries and alerts.

Installation

To use this integration, you must have:

  • An organizational Active Directory tenant to target for ingestion. The integration does not support the use of other tenant types.
  • An account in the tenant you want to target for ingestion that has global administrator access. You will log in with this account to grant the JupiterOne application API permissions that can read data across all users (admin consent).

Configuration in JupiterOne

To install the Microsoft 365 integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Microsoft 365. Click New Instance to begin configuring your integration, providing the following:

  • The Account Name used to identify the Microsoft 365 account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  • Include Advanced Device Details queries for and includes device properties: physicalMemoryInBytes, iccid and ethernetMacAddress when available. Ingestion duration may increase due to additional API requests.

Click Create after you have provided all the values.

When prompted, click Begin Authorization.

You are then directed to the Microsoft identity platform where you must log in as a global administrator of the organizational Active Directory tenant you intend to integrate with.

You must select an account belonging to an organizational tenant. When you are already logged into an account, the badge icons indicate the nature of the tenant the account belongs to. Do not select a personal account.

Review the requested permissions (described below) and grant consent. Once you proceed through the authorization, you will have successfully completed the integration setup process.

Granted permissions

  1. DeviceManagementApps.Read.All
    • Read Microsoft Intune apps
    • Needed for creating Application entities
  2. DeviceManagementConfiguration.Read.All
    • Read Microsoft Intune device configuration and policies
    • Needed for creating Configuration and ControlPolicy entities
  3. DeviceManagementManagedDevices.Read.All
    • Read Microsoft Intune devices
    • Needed for creating Device and HostAgent entities
  4. Organization.Read.All
    • Read organization information
    • Needed for creating the Account entity
  5. APIConnectors.Read.All
    • Read API connectors for authentication flows
    • Needed for enriching the Account entity with Intune subscription information
  6. DeviceManagementServiceConfig.Read.All
    • Read Microsoft Intune configuration
    • Also needed for enriching the Account entity with Intune subscription information
  7. Directory.Read.All
    • Read directory data
    • Needed for creating User, Group, and GroupUser entities
  8. AuditLog.Read.All
    • OPTIONAL
    • If provided on a B2C or premium tenant, the integragration will include singInActivity in the User entity.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.