Sam360 integrates with Office 365 by importing user, license entitlement, license allocation and usage data on a scheduled basis. In order to enable the integration, it is necessary to specify the credentials of a Microsoft account that has permissions to administer the target Office 365 tenant. This can be an existing user account or a dedicated service account.
It is considered best practice to create a dedicated account where minimum required privileges can be assigned. Also, if all existing user accounts use two factor authentication, it will be necessary to create a service account that does not require two factor authentication. This article describes how to create a dedicated service account. Your organization will not be charged by Microsoft for this account as it does not require an Office 365 licence.
Step 1 – Install Required Components
We will create the account using PowerShell. First, we must ensure we have the required components installed. Install the ‘Azure Active Directory PowerShell‘ component from the PowerShell Gallery. If PowerShellGet is not already installed on your system, it must be first installed from the PowerShell Gallery.
Step 2 – Connect to Office 365 Admin Service
Open Windows PowerShell and use the commands detailed below. It will be necessary to specify the credentials of an existing Office 365 administrator for the tenant.
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\Sarah> Import-Module MSOnline
PS C:\Users\Sarah> $Office365credentials = Get-Credential
PS C:\Users\Sarah> Connect-MsolService -Credential $Office365credentials
PS C:\Users\Sarah> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $Office365credentials -Authentication Basic -AllowRedirection
PS C:\Users\Sarah> Import-PSSession $Session
These commands connect you to the Office 365 admin and Office 365 Exchange services. To ensure the connections was successful, you can use the Get-MSOLUser command to get the full list of Office 365 users in the chosen tenant.
PS C:\Users\Sarah> Get-MSOLUser
UserPrincipalName DisplayName isLicensed
—————————— ——————— —————-
sarah@Sam360Test.onmicrosoft.com Sarah Test True
david@Sam360Test.onmicrosoft.com David Test True
kate@Sam360Test.onmicrosoft.com Kate Test True
Step 3 – Create Service Account
To create the new service account, use the command below. Update the command to set the company.onmicrosoft.com part to match your own Office 365 .onmicrosoft.com domain and replace the password with a secure password of your own. The password will need to comply with the Office 365 minimum password requirements for your tenant. We recommend a password of at least 10 characters including a mixture of capital and lower case letters, numbers and special characters.
It is also necessary to update the user account to specify that the password does not need to be reset on first login.
PS C:\Users\Sarah> Set-MsolUserPassword -UserPrincipalName "Sam360Reports@company.onmicrosoft.com" -NewPassword "Password123" -ForceChangePassword $False
Step 4 – Configure Service Account Permissions
The service account needs permission to read company, user and license information from the Office 365 tenant. In order to assign these rights, we add the user to the "Service Support Administrator" role.
PS C:\Users\Sarah> Add-MSOLRoleMember -RoleName "Service Support Administrator" -RoleMemberEmailAddress "Sam360Reports@company.onmicrosoft.com"
The service account also needs permission to read Exchange User & ActiveSync device info. We assign the ‘View-Only Organization Management’ role to the user to achieve this.
PS C:\Users\Sarah> Add-RoleGroupMember -identity "View-Only Organization Management" -member "Sam360Reports"
If you receive the following error please try the command again in 30 minutes. This is due to the newly created account not yet being replicated to Exchange Online.
The account has now been created and you can use it within the Sam360 Management Point configuration tool.