How to Manually Fulfill Pre-requisites for Monitoring Office 365 Environments?
The eG agent runs Powershell cmdlets to pull a few metrics from Office 365. To enable the eG agent to run these cmdlets, the following need to be installed and run on the eG agent host:
- A 64-bit version of the Microsoft Online Services Sign-in Assistant for IT Professionals RTW: You can download its installable from the URL : https://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_64bit.msi. After downloading, use the installable to install the sign-in assistant, and then start it.
A 64-bit version of the Microsoft Azure Active Directory Module for Windows PowerShell: To install this module, do the following:
- First, install the PackageManagement and PowerShellGet modules on the eG agent host. You can download the installable from the URL: https://download.microsoft.com/download/C/4/1/C41378D4-7F41-4BBE-9D0D-0E4F98585C61/PackageManagement_x64.msi
- Once the PackageManagement and PowerShellGet modules are successfully installed, open Windows PowerShell ISE in elevated mode on the eG agent host.
Figure 5 : Installing the Microsoft Online Module for Windows PowerShell
Next, run the following cmdlet to install the Azure Active Directory PowerShell for Graph module:
Figure 6 : Installing the Azure Actuve Directory PowerShell for Graph module
Then, proceed to install the Exchange Online Management Module. For this, run the following cmdlet from the PowerShell prompt:
Figure 7 : Installing the Exchange Online Management module
Now, install the SharePoint Online Management Shell, which is key for monitoring SharePoint Online. For that, run the following cmdlet:
Figure 8 : Installing the SharePoint Online Management Shell
Next, install the Microsoft Teams module, which is important for Microsoft Teams monitoring. For this, run the following cmdlet:
Figure 9 : Installing the Microsoft Teams module
- Then, install the Network Assessment Tool, which helps with Microsoft Teams / Skype for Business Online monitoring. For this, you need to download and run the executable from the following URL: https://download.microsoft.com/download/D/D/6/DD65CA90-94CF-4B10-88A2-67432D8EB78F/MicrosoftSkypeForBusinessNetworkAssessmentTool.exe
- Finally, install the Skype Online PowerShell module, which is imperative for Skype for Business Online monitoring. For this, you need to download and run the executable in the URL, https://download.microsoft.com/download/2/0/5/2050B39B-4DA5-48E0-B768-583533B42C3B/SkypeOnlinePowerShell.Exe.
To run PowerShell cmdlets for metrics collection, the eG agent requires the credentials of a user who has been assigned specific privileges.
These privileges vary with the service being monitored - i.e., eG monitoring model in use.
The table below describes these privileges:
Microsoft Office 365
A user who is vested with the View-Only Audit Logs permission
Microsoft Exchange Online
A user who is vested with the View-Only Audit Logs, View-Only Recipients, Mail Recipients, and Mail Import Export permissions.
Microsoft SharePoint Online and Microsoft OneDrive for Business
A user who has been assigned the Service support admin and SharePoint admin roles and is vested with the View-Only Audit Logs permission
While you can use the credentials of any existing O365 user with the aforesaid privileges, it is recommended that you create a special user for monitoring purposes using the Office 365 portal and pass the credentials of that user to the eG agent.
To know how to create a new user using the Office 365 portal and assign the required privileges to that user, refer to the Creating a New User in the Office 365 Portal
To enable the eG agent to monitor service health, Message Center communications, and user activity, you need to ensure that the Microsoft Graph App is registered on Azure Active Directory (AD), with the following permissions:
- ServiceHealth.Read permission to the Office 365 Management APIs, which will allow the app to read the service health information for your organization;
- MyFiles.Read permission to the SharePoint API, which will allow the app to read from and write to user files;
- Sites.Read.All permission to the SharePoint API, which will allow the app to read items in all site collections;
- User.Read permission to the Azure Active Directory Graph API, which will allow the app to sign in and read the user profile;
- Group.Read.All permission to the Microsoft Graph API, which will allow the app to read all groups;
- User.Read.All permission to the Azure Active Directory Graph API, which will enable the app to read the full profile of all users;
- Reports.Read.All permission to the Microsoft Graph API, which will permit the app to read all usage reports;
The steps for manually registering this app and granting the aforesaid permissions are detailed in Registering the Microsoft Graph App On Microsoft Azure Active Directory