Skip to content
  • There are no suggestions because the search field is empty.

Where do I find my Microsoft 365 credentials?

Credentials

The following credentials are required to get started with Microsoft 365 Security:
  • Application ID
  • Tenant
  • Tenant ID

These credentials are created by registering an application in Microsoft Azure (via Microsoft Entra ID, formerly Azure Active Directory).

Preparation

  1.  A user with the Global Administrator role in your Microsoft Entra tenant is required to grant admin consent and assign directory roles.

  2. Access to Microsoft Entra admin Center.

  3. The Holm Security certificate — download it here

 Automated setup 

Holm Security publishes a PowerShell script that does every step below for you. It registers the application, attaches the certificate, grants permissions, and assigns the Global Reader role. It takes ~30 seconds end-to-end and is fully unattended once you sign in.

Use this if you have a Windows machine and PowerShell 7. If you'd rather click through the Entra portal, skip to Manual setup below.

Requirements

  • Windows (the script uses Windows-only PowerShell modules under the hood).
  • PowerShell 7 — install with winget install --id Microsoft.PowerShell -e (or download from aka.ms/powershell).
  • A user account with the Global Administrator role in your Microsoft Entra tenant.
  • Internet access to download.holmsecurity.com, graph.microsoft.com, and login.microsoftonline.com.

How to run

Open a PowerShell 7 terminal (pwsh.exe — not the older "Windows PowerShell" / powershell.exe) and run:

Invoke-WebRequest -Uri https://download.holmsecurity.com/m365/Holm-M365-Setup.ps1 -OutFile Holm-M365-Setup.ps1
.\Holm-M365-Setup.ps1

A Microsoft sign-in window will pop. Sign in with your Global Administrator account and approve the consent prompt. When the script finishes, you'll see:

Paste these into the Holm Security Microsoft 365 assessment profile: 

Application ID : [guid]
Tenant ID: [guid]
Tenant  : [your-tenant].onmicrosoft.com

Copy those three values into the Security Center under Collect tenant and tenant ID and you're done. 

Re-running

The script is safe to re-run: if Holm-M365 already exists in your tenant, it reuses the existing app and just fills in anything missing (cert, role, permissions). No duplicate apps are created.

Manual setup

 If you prefer to do this through the Entra portal, follow the steps below.

Register an application

  1. Log in to your Azure Account through the Azure portal and navigate to the Entra ID Service.
  2. Click on Entra ID (formerly known as Azure Active Directory) >  App registrations.
  3. Click on New Registration.
  4. Enter your App, e.g., "Holm Security Microsoft 365 Security" in the Name field.
  5. Under Supported account types to select: Accounts in this organizational directory only.
  6. Click on Register.
  7. You should now see the following values:
    • Application (client) ID should be added to the Application ID field in the Microsoft 365 profile.
  8. Download the Holm Security certificate here.
  9. In the left panel, under Manage, select Certificates & secret > Upload Certificate.
  10. Upload Holm Security's certificate to the application.

Assign API permissions

Required permissions
Permissions that have "write" privileges are included in the SharePoint permissions list. You can read about SharePoint permissions at the Microsoft website (external link). Those permissions are the minimum required to read the admin center configurations and are a limitation of the underlying APIs for these services. The write privileges are not used to carry out the assessment. You can find more information about these limitations at the Microsoft website (external link).

  1. Navigate to Entra ID > App registrations > All applications.
  2. Search for the application you want to add permissions to and select it.
  3. In the left panel, select API permissions > Add permissions.
  4. Add the Microsoft Graph permissions first:
    1. On the Microsoft APIs tab, select Microsoft Graph > Application permissions, then check
      every Microsoft Graph permission from the Permissions table below and select Add permissions.
    1. Select Add a permission again, but this time open the APIs my organization uses tab.
    2. Search for Office 365 Exchange Online, select it, select Application permissions, check
      Exchange.ManageAsApp, and select Add permissions.
    3. Repeat for Office 365 SharePoint Online and the Sites.FullControl.All permission. Now add the Exchange and SharePoint permissions:
  5. The table below lists the minimum permissions and roles required to read configuration data for each supported product:
Permissions: Resource: Purpose:
Directory.Read.All Microsoft Graph Read users, groups, and applications in the tenant directory.
Policy.Read.All Microsoft Graph Read Conditional Access and authentication-method policies.
PrivilegedAccess.Read.AzureADGroup Microsoft Graph Read membership of privileged-access groups.
PrivilegedEligibilitySchedule.Read.AzureADGroup Microsoft Graph Read time-bound eligibility schedules for privileged roles.
RoleManagement.Read.Directory Microsoft Graph Read directory role definitions and role assignments.
RoleManagementPolicy.Read.AzureADGroup Microsoft Graph Read role-activation policies (for example, whether MFA is required to activate a role).
User.Read.All Microsoft Graph Read user account properties such as sign-in status and licensing.
Exchange.ManageAsApp Office 365 Exchange Online Authenticate to Exchange Online PowerShell as an application. See section below.
Sites.FullControl.All SharePoint Online Read SharePoint tenant-administration configuration. See section below.
Directory role: Global Reader Tenant-wide Grants read-only access to Exchange, Teams, and Defender configuration outside Graph.

Important
You must select Application permissions (not Delegated). Certificate-based authentication signs in as the app itlself, with no user involved, so only Application permissions apply. Choosing delegated will cause assessments to fail with authentication errors.

Assign the global reader role

API permissions cover Microsoft Graph and SharePoint, but Exchange Online, Microsoft Teams, and Defender
for Office 365 also require the application to hold an Entra directory role. Microsoft's own app-only.

The authentication guide for Exchange calls this out: Exchange.ManageAsApp only works in combination with a
supported directory role. Global Reader is the least privileged role that satisfies this requirement and is read-
only.

To assign the Global Reader role, do the following:

  1. Navigate to Entra ID > Roles & admins.
  2. Click the Global Reader role name > select Add assignments

  3. Search for the application you created, select it, and click Add.

Grant consent for the added permissions

  1. In the left panel, under Security, select Permissions.
  2. Click the Grant admin consent for Contoso to enable it.
  3. Each permission in the list should now show a green check under Status.

Collect tenant and tenant ID

  1. In the Microsoft Entra Overview page, you can find the Microsoft Entra Tenant ID and the Primary domain (Tenant) name in the Basic information section.
    1. Tenant ID should be added to the Tenant ID field in the Microsoft 365 profile.
    2. Primary Domain should be added to the Tenant field in the Microsoft 365 profile.
  2. Done!