Connecting your Microsoft 365 account to your CloudRadial tenant allows you to pull in users and set up various data flows that give users more visibility into their 365 account. Since the July 30, 2019 release, CloudRadial has relied exclusively on a partner application for performing Office 365 data gathering.
- Note: You will need to have access to a Windows computer to perform this setup and be members of the Microsoft Partner Program to access your current Microsoft Partner Number (MPN).
We'll follow three main steps:
- Running the PowerShell script
- Inputting Microsoft information
- Tying Microsoft data to specific companies in CloudRadial
Alternatively, those without delegated admin access can still tie in Microsoft 365 to a company as long as they have access to an account with administrative access to the M365 tenant.
Step 1: Running the PowerShell Script
Why are we doing this? Running this script allows CloudRadial to see the setup information and hook into the data sent out by Microsoft 365. Without it, we wouldn't be able to pull in information about the users and their usage. In one script, this ensures that we have the right access to the areas that we need.
The script uses the Microsoft.Graph Module to install an application in your partner tenant that CloudRadial uses for authentication.
Permissions
- AuditLog.Read.All
- Calendars.Read
- CallRecordPstnCalls.Read.All
- CallRecords.Read.All
- DeviceManagementConfiguration.Read.All
- Directory.Read.All
- Domain.Read.All
- Reports.Read.All
- SecurityEvents.Read.All
- ServiceMessage.Read.All
- SharePointTenantSettings.Read.All
- User.Read.All
The permission User.ReadWrite.All is optional in the list of permissions. Without this permission, users will not be able to update their Office 365 details from within CloudRadial.
In the CloudRadial Tenant
- Log into your CloudRadial tenant
- Navigate to Partner > Settings
- Click on Microsoft Partner under Setup at the top right
- Click on the PowerShell Script tab at the top
- Click the Copy to Clipboard text to get a copy of the script
- Swap back to the Setup tab. Leave this window open - we'll need to input four codes that we'll get from the PowerShell script.
On Your Windows Computer
- Verify the version of PowerShell installed on your machine by running the following command in Terminal or PowerShell: $PSVersionTableIf your PowerShell installation is on any version below 7+, you'll need to upgrade your PowerShell installation before running the script. You can find the latest version here: PowerShell/PowerShell: PowerShell for every system! (github.com)
- Once your installation of PowerShell version 7+ is complete, you will need to reboot your machine for the new Environment Variables that point to the new installation will work.
- Open Windows PowerShell ISE editor as an Administrator using the Windows search bar and navigate to the following path
- Administrator access is required to install the correct PowerShell modules (MSOnline and AzureAD). Use the 64-bit version of ISE.
- Administrator access is required to install the correct PowerShell modules (MSOnline and AzureAD). Use the 64-bit version of ISE.
- If not enabled in PowerShell ISE already, open a Script Pane
- Click View at the top
- Click Show Script Pane
- Ensure your Execution Policy is set to Unrestricted
- In the blue area of PowerShell, type the following and press Enter:
-
Set-ExecutionPolicy Unrestricted
-
- You may need to select Yes to some pop-up prompts. Select Yes to All to save time.
- In the blue area of PowerShell, type the following and press Enter:
- Paste the PowerShell script copied earlier into the Script Pane. Do not paste the script into the blue area of the editor.
- Click the Execute Script button (Green Arrow)
- Press Enter in the blue area of the editor to start the script
- Follow the prompts in the script. It will prompt you to download a few modules to run the script - it's important to click "Yes" and "Yes to All" to ensure the script executes correctly
- You'll be asked to log into Microsoft during a portion of the script. Log in with an Administrative-level user that has Global Admin Access.
- Once the script completes, you'll see 4 values that you'll need to setup the CloudRadial-M365 connection. Don't close out of PowerShell - just swap back over to your CloudRadial tenant.
Step 2: Inputting Microsoft Information
Why are we doing this? Now that we've got the permissions we need, we need to tie various IDs and keys into CloudRadial to secure the connection. Once it's all set, we'll be able to read Microsoft 365 data and add a lot more value to the portal for your clients.
- Return to the open Setup tab under the Microsoft Partner setup in CloudRadial
- Copy and paste the values for AppId, AppSecret, TenantId, and Realm that were provided at the end of the PowerShell script in the blue area pictured above
- Enter your Microsoft Partner Number
- If you're not sure what this is, you can find it by visiting partner.microsoft.com
- Once at the partner site, click on Dashboard
- Click on the Settings Gear on the top right
- Click on Partner Settings
- Once on the Partner Profile page, look for the Program info area and find/copy your MPN ID
- Head back to the CloudRadial window
- Paste it into the Microsoft Partner Number (MPN) field
- Press the Submit button at the end of the page to save your settings.
- Refresh your page to ensure that CloudRadial is displaying the latest information from Microsoft 365
If everything has worked successfully, saving your settings will initiate a request to retrieve your clients and populate your clients in the Partner > Microsoft 365 tab in CloudRadial.
Important Note: It may take anywhere from a few minutes to an entire day, depending on Microsoft server load and data volume, to sync everything into CloudRadial the first time.
Step 3: Tying Microsoft Data to Specific Companies in CloudRadial (Delegated Admin); for GDAP, skip this step.
Why are we doing this? Once the connection is successful, we'll need to finish the job by tying the Microsoft 365 Tenant Identifier to the clients to ensure that the right data comes in for the right clients. This is something that should be completed when clients are first loaded into the portal, but it can always be completed at a later date.
- Navigate to Partner > Clients in CloudRadial
- Click on the 3 blue dots on an existing client
- Click Edit
- Note: The following steps apply both when editing an existing client in CloudRadial or when adding a brand new one
- Note: The following steps apply both when editing an existing client in CloudRadial or when adding a brand new one
- Once in the Company editing panel, look for the Microsoft 365 Tenant Identifier field
- Toggle if you're a Delegated Administrator for that company
- Delegated Administrator access is only available to Microsoft CSPs. You can learn more about joining the free CSP program by clicking here.
- If you're a Microsoft Partner, you'll be able to use the Lookup button to find their company identifier in Microsoft 365. If not, skip to step 10.
- Press enter on the blank field to load entries, or type the first few letters of the company you're trying to find and then press enter
- Click on the corresponding company
- The ID will now be in place. Click Submit at the bottom of the panel.
- Note: Delegated admin permissions have been deprecated by Microsoft since July 2023.
Adding a Company with GDAP: Granting Admin Application Consent (Required for GDAP only MSPs)
GDAP: Connecting Tenants to Microsoft 365 Now Requires Consent – CloudRadial
The new gold standard will become GDAP (Granular Delegated Admin Privileges). This will be a new way that Microsoft Partners will be required to request consent to access their customer accounts, as well as any third-party applications. You'll now need to provide Admin Application Consent in order to connect customer tenants with their Microsoft 365.
Follow these steps to grant CloudRadial consent to access your customers Microsoft 365 tenants if you are creating a company and have GDAP only permissions:
- Navigate to Partner > Clients
- Click +Add at the top right
- Fill out all the relevant information but leave Microsoft 365 Tenant Identifier blank
- Click Submit
- Select the Client company > Microsoft 365 tab
- You will see the options to tie your client's tenant to CloudRadial from here using the Global Administrator account from your customer's tenant in Microsoft 365
!!!DO NOT USE YOUR OWN GLOBAL ADMIN ACCOUNT!!!
- First select Administrative Access Application allows for that company's Office 365 data to flow into CloudRadial
- Second select User Login Access Application allows users to use their Office 365 credentials to log into CloudRadial
- Under the Details tab Click Sync
It should look like the below image if successful under the Microsoft 365 tab:
Note: It may show Unauthorized until a successful sync has occurred. -
Once you have tied in the proper access in CloudRadial, you will want to confirm the appropriate access from within Microsoft 365 to ensure no interruptions occur.
- Login to the customer's tenant https://portal.azure.com/
- Go to Azure Active Directory
- Click Enterprise Applications
- Check for these two permissions
- CloudRadial (User Logins)
- CloudRadial (Admins)
The data from Microsoft will now be flowing into the relevant areas of CloudRadial. They will now also have access to log into CloudRadial using their Microsoft 365 credentials. Setup is complete - simply repeat the ID entry steps for any existing clients or for new clients added to the portal.
Comments
2 comments
Just followed this through. The AppId came out blank which was disappointing, After trying to trouble shoot the script I just logged into o365 admin and found the AppId for the graph application and pasted that in. It worked :)
Hi Duncan,
I don't see this in my 365 admin. Do you know what page it's on? Thanks
Article is closed for comments.