Skip to content
  • There are no suggestions because the search field is empty.

Where do I find my Microsoft 365 credentials?

These are the credentials you need to use Cloud scanning for Microsoft 365:
  • Application ID
  • Tenant
  • Tenant ID

These credentials are created by registering an application in Microsoft Azure (via Microsoft Entra ID, formerly Azure Active Directory).

Register an Application

  1. Log in to your Azure Account through the Azure portal and navigate to the Entra ID Service.
  2. Click on Entra ID (formerly known as Azure Active Directory) >  App registrations.
  3. Click on New Registration.
  4. Enter your App, i.e., "Holm Security Scanner," in the Name field.
  5. Under Supported account types to select: Accounts in this organizational directory only.
  6. Click on Register.
  7. You should now see the following values:
    • Application (client) ID should be added to the Application ID field in the M365 Scan Profile.
  8. Download the Holm certificate here.
  9. Navigate to your newly created application, and in the left panel, click Settings > Certificates >
     Public key certificates (.cer) > Add certificate.
  10. Upload Holm Security's Certificate to the application.

Create the Service Principal

  1. In the search bar at the top of the screen, search for and select Subscriptions.
  2. In the new window, select the subscription you want to modify. If you don't see the subscription you're looking for, select the global subscriptions filter. Make sure the subscription you want is selected for the tenant.
  3. In the left pane, select Access control (IAM).
  4. Click Add, then select Add role assignment.
  5. In the Role tab, select the role you wish to assign to the application in the list, then select Next.
  6. On the Members tab, for Assign access to, select User, group, or service principal.
  7. Click Select members. To find your application, search for it by name.
  8. Click the Select button, then click Review + assign.

Assign API Permissions

  1. Navigate to Entra ID > App registrations > All applications.
  2. Search for the application you want to add permissions to and select it.
  3. In the left panel, scroll to Manage > Add permissions.
  4. The table below lists the minimum permissions and roles required for Holm Cloud Scanner to read configuration data for each supported product:
    Product API Permissions Role API Name API APPID
    Entra ID Directory.Read.All   Microsoft.Graph 00000003-0000-0000-c000-000000000000
      Policy.Read.All      
      PrivilegedAccess.Read.AzureADGroup      
      PrivilegedEligibilitySchedule.Read.AzureADGroup      
      RoleManagement.Read.Directory      
      RoleManagementPolicy.Read.AzureADGroup      
      User.Read.All      
    Defender for Office 365   Global Reader    
    Exchange Online Exchange.ManageAsApp Global Reader Office 365 Exchange Online1 00000002-0000-0ff1-ce00-000000000000
    SharePoint Online Sites.FullControl.All   SharePoint1 00000003-0000-0ff1-ce00-000000000000
    Microsoft Teams   Global Reader    

Required Permissions
Permissions that have "write" privileges are included in the SharePoint permissions list below. Those permissions are the minimum required by Holm Cloud Scanner to be able to read the admin center configurations and are a limitation of the underlying APIs of these services. Holm Security Cloud Scanner itself never uses these write privileges for its assessments.

Grant consent for the added Permissions

  1. In the left panel, scroll to Security > Permissions.
  2. Click the Grant admin consent for Contoso to enable it.

Collect Tenant and Tenant ID. 

  1. In the Microsoft Entra Overview page, you can find the Microsoft Entra tenant ID and the Primary domain (Tenant) name in the Basic information section.
    1. Tenant ID should be added to the Tenant ID field in the M365 Scan Profile.
    2. Primary Domain should be added to the Tenant field in the M365 Scan Profile.
  2. Done!