Azure AD and Microsoft 365
Azure AD is Microsoft's cloud-based directory service. At a basic level, a directory service maintains lists of your users, and associated groups, as well as dealing with authentication. Azure AD is a foundational element of Microsoft 365 - any user of Microsoft 365 is actually listed in Azure AD.
From a technical perspective, whilst Microsoft 365 offers additional functionality on top of Azure, all access is through the Microsoft Graph API which gives a consistent way to access Azure AD and other Microsoft products.
To all intents and purposes, connecting Trelica to Azure AD / Microsoft 365 is the same thing. If you just use Azure AD, then some data (e.g. Sharepoint usage) will just be empty.
Trelica connects using OAuth2, and the default permissions that Trelica requests are read-only.
You should connect to Azure with a user account that has at least the Directory Readers, Security Reader and Reports Reader roles.
If you enable Provisioning or Deprovisioning you will also need the Directory Writers role.
Scopes requested
Scope | Reason |
---|---|
AuditLog.Read.All | This is used to read audit logs to extract last-login times for SAML2 enabled applications (only works with Azure AD P1 and P2). The Security Reader role enables this. |
Directory.Read.All | Allows the Trelica to read basic data in your organization's directory, such as users, groups and apps. It also allows us to retrieve information about the Office 365 licenses each user has been assigned. |
Group.Read.All | Trelica reads the names and IDs of security and Office 365 groups in your organization's directory. |
GroupMember.Read.All | To show which users are members of each group, Trelica needs to read the members of each group. |
Reports.Read.All | Where audit log data is not available, Trelica reads Microsoft Office 365 usage reports to return last used dates for applications like Teams, Yammer, OneDrive and SharePoint. The Reports Reader role enables this. |
User.Read.All | Trelica pulls a list of all Office 365 users, and basic profile properties like name, email, employee ID, job title and creation date. |
User.ReadWrite.All | Required for provisioning and deprovisioning users. This needs the Directory Writers role. |
Application consent in Azure
Azure now offers a very comprehensive approach to OAuth application security. Recommend settings are to limit users' abilities to consent to OAuth applications - if you're an Azure Administrator you can see the configuration your organization is using under Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
Trelica requires a number of permissions to access resources in Azure and it's likely you will have Do not allow user consent or Allow user consent for apps from verified publishers, for selected permissions selected. In this case connecting Trelica to Azure with a non Azure administrator account will show the Need admin approval message:
As the message suggests, you could switch to use an Azure administrator login to make the connection (Have an admin account? Sign in with that account).
Trelica will not be granted the full access of your administrator account - our access is limited to the OAuth scopes we request.
Approving the Trelica application connection using a separate Admin Azure account
If you want to use a different user account (perhaps a specific Trelica 'service' account with just the Global Reader role) to connect from Trelica to Azure, then you will still need an Azure Administrator to approve the Trelica application.
The easiest way to do this is to ask an Azure Admin (who does not need to have a Trelica account) to click the following link:
https://login.microsoftonline.com/common/adminconsent?client_id=736c9ac0-68b3-4c09-8f92-17cc92891638
This will initiate the process for approving the Trelica connection in Azure. They will be shown the following screen:
You do NOT need to Consent on behalf of your organization. If you leave the box unchecked it just means that if a new connection is made, then the user must review the access Trelica is requesting.
After you click Accept, then the user will see a message from Trelica that says "Request forwarding failed Forwarding the request to the upstream server failed. Please retry, and if the problem persists contact Trelica support."
You can ignore this message - it's simply because the request was initiated from a direct URL outside Trelica. We are working to improve the wording of this.
You can confirm that the application has been added by going to Enterprise applications in Azure:
Now that the application has been approved by an administrator, you can login to Trelica and Connect using your non-admin account:
Authorizing additional scopes
If you want to authorize additional integration functionality, e.g. to enable deprovisioning, first click the ⋮
icon and disconnect the integration, and then reconnect, clicking the features you want.
If you have previously consented to a set of scopes in Azure you may find that any additional scopes required (e.g. User.ReadWrite.All
) are not correctly granted.
To resolve this, you may need to delete the Trelica application in Azure and reconnect, to regrant the right scopes.
To delete the Trelica application, find the Enterprise applications Azure service:
Then search for Trelica (Microsoft Azure AD):
Click through on the application, select Properties on the left-hand side and then Delete the application:
Concealed user names in Microsoft 365 usage reports
By default, Microsoft 365 now anonymises (or "conceals") user names in usage reports. If this setting is enabled, then Trelica cannot read user level usage data for Outlook, Teams, OneDrive and SharePoint.
If you want to see this then go to Settings > Org settings > Reports in the Microsoft 365 admin center:
Make sure that the checkbox for Display concealed user, group and site names in all reports is unchecked.
Then click Save.
You must refresh the Microsoft 365 integration in Trelica to update the data:
Microsoft 365 usage data for Outlook, Teams, OneDrive and SharePoint typically has a slight lag, so may not register usage from the previous 48 hours.
FAQs
How is the person type determined?
The person type is determined by the following logic:
-
If the Azure AD User Type is "Guest" then the person is marked as "External"
-
If the Azure AD Employee Type field is set then it is mapped as follows:
- Employee => Employee
- Contractor => Contractor
- Consultant or Vendor => External
-
If the Employee Type is not set, then if any of the following fields have a value, the person is marked as an Employee:
- Employee ID
- Manager
- Cost Center
- Division
An application shows a 'High' OAuth Access Risk, but no users have a 'High' OAuth Access Risk
An Azure administrator can grant specific consents on behalf of all users. If this has been granted then Trelica derives a risk rating from these consents and applies this to the application.
An application that I can see in the Azure Enterprise Applications list isn't showing in Trelica
Trelica only imports applications which meet one or more criteria:
- Application is configured for SAML2
- Application has users or groups assigned to them
- Azure has issued OAuth2 tokens for the application, and they are still valid
What does the last login date for Microsoft 365 reflect?
If you have an Azure AD P1 or P2 license then Trelica will retrieve the last interactive login date for your users. An interactive login is where a user actually enters a password (or uses an MFA app or biometric factor or QR code) to sign in to an application using their Azure AD account.
If users are primarily accessing Microsoft 365 through mobile apps (for example) then this may not reflect actual activity as these applications may be using non-interactive logins. Data relating to non-interactive logins is not available through Microsoft APIs.
To overcome this limitation, Trelica combines Azure AD last login dates with Microsoft 365 usage data from Outlook, Teams, OneDrive and SharePoint. This gives a more accurate indication of last usage.
What does the last login date for Teams or Outlook reflect?
Teams and Outlook usage data indicates the last time a user accessed Teams or Outlook, either on the web, from a desktop client, or from a mobile device. It does not reflect the last date a Teams meeting was held or an Outlook message was sent or received.
Comments
0 comments
Please sign in to leave a comment.