Skip to content
  • There are no suggestions because the search field is empty.

Where do I find my Microsoft 365 credentials?

Credentials

The following credentials are required to get started with Microsoft 365 Security:
  • Application ID
  • Tenant
  • Tenant ID

These credentials are created by registering an application in Microsoft Azure (via Microsoft Entra ID, formerly Azure Active Directory).

Preparation

  1.  A user with the Global Administrator role in your Microsoft Entra tenant is required to grant admin consent and assign directory roles.

  2. Access to Microsoft Entra admin Center.

Register an application

  1. Log in to your Azure Account through the Azure portal and navigate to the Entra ID Service.
  2. Click on Entra ID (formerly known as Azure Active Directory) >  App registrations.
  3. Click on New Registration.
  4. Enter your App, e.g., "Holm Security Microsoft 365 Security" in the Name field.
  5. Under Supported account types to select: Accounts in this organizational directory only.
  6. Click on Register.
  7. You should now see the following values:
    • Application (client) ID should be added to the Application ID field in the Microsoft 365 profile.
  8. Download the Holm Security certificate here.
  9. Navigate to your newly created application, and in the left panel, click Settings > Certificates >
     Public key certificates (.cer) > Add certificate.
  10. Upload Holm Security's certificate to the application.

Create the service principal

  1. In the search bar at the top of the screen, search for and select Subscriptions.
  2. In the new window, select the subscription you want to modify. If you don't see the subscription you're looking for, select the global subscriptions filter. Make sure the subscription you want is selected for the tenant.
  3. In the left pane, select Access control (IAM).
  4. Click Add, then select Add role assignment.
  5. In the Role tab, select the role you wish to assign to the application in the list, then select Next.
  6. On the Members tab, for Assign access to, select User, group, or service principal.
  7. Click Select members. To find your application, search for it by name.
  8. Click the Select button, then click Review + assign.

Assign API permissions

Required permissions
Permissions that have "write" privileges are included in the SharePoint permissions list. You can read about SharePoint permissions at the Microsoft website (external link). Those permissions are the minimum required to read the admin center configurations and are a limitation of the underlying APIs for these services. The write privileges are not used to carry out the assessment. You can find more information about these limitations at the Microsoft website (external link).

  1. Navigate to Entra ID > App registrations > All applications.
  2. Search for the application you want to add permissions to and select it.
  3. In the left panel, select API permissions > Add permissions.
  4. Add the Microsoft Graph permissions first:
    1. On the Microsoft APIs tab, select Microsoft Graph > Application permissions, then check
      every Microsoft Graph permission from the Permissions table below and select Add permissions.
    1. Select Add a permission again, but this time open the APIs my organization uses tab.
    2. Search for Office 365 Exchange Online, select it, select Application permissions, check
      Exchange.ManageAsApp, and select Add permissions.
    3. Repeat for Office 365 SharePoint Online and the Sites.FullControl.All permission. Now add the Exchange and SharePoint permissions:
  5. The table below lists the minimum permissions and roles required to read configuration data for each supported product:
Permissions: Resource: Purpose:
Directory.Read.All Microsoft Graph Read users, groups, and applications in the tenant directory.
Policy.Read.All Microsoft Graph Read Conditional Access and authentication-method policies.
PrivilegedAccess.Read.AzureADGroup Microsoft Graph Read membership of privileged-access groups.
PrivilegedEligibilitySchedule.Read.AzureADGroup Microsoft Graph Read time-bound eligibility schedules for privileged roles.
RoleManagement.Read.Directory Microsoft Graph Read directory role definitions and role assignments.
RoleManagementPolicy.Read.AzureADGroup Microsoft Graph Read role-activation policies (for example, whether MFA is required to activate a role).
User.Read.All Microsoft Graph Read user account properties such as sign-in status and licensing.
Exchange.ManageAsApp Office 365 Exchange Online Authenticate to Exchange Online PowerShell as an application. See section below.
Sites.FullControl.All SharePoint Online Read SharePoint tenant-administration configuration. See section below.
Directory role: Global Reader Tenant-wide Grants read-only access to Exchange, Teams, and Defender configuration outside Graph.

Important
You must select Application permissions (not Delegated). Certificate-based authentication signs in as the app itlself, with no user involved, so only Application permissions apply. Choosing delegated will cause scans to fail with authentication errors.

Assign the global reader role

API permissions cover Microsoft Graph and SharePoint, but Exchange Online, Microsoft Teams, and Defender
for Office 365 also require the application to hold an Entra directory role. Microsoft's own app-only.

The authentication guide for Exchange calls this out: Exchange.ManageAsApp only works in combination with a
supported directory role. Global Reader is the least privileged role that satisfies this requirement and is read-
only.

To assign the Global Reader role, do the following:

  1. Navigate to Entra ID > Roles & admins.
  2. Click the Global Reader role name > select Add assignments

  3. Search for the application you created, select it, and click Add.

Grant consent for the added permissions

  1. In the left panel, scroll to Security > Permissions.
  2. Click the Grant admin consent for Contoso to enable it.
  3. Each permission in the list should now show a green check under Status.

Collect tenant and tenant ID

  1. In the Microsoft Entra Overview page, you can find the Microsoft Entra Tenant ID and the Primary domain (Tenant) name in the Basic information section.
    1. Tenant ID should be added to the Tenant ID field in the Microsoft 365 profile.
    2. Primary Domain should be added to the Tenant field in the Microsoft 365 profile.
  2. Done!