Pre-requisites for Monitoring Microsoft Office 365 Environments
Before attempting to monitor Microsoft Office 365 or any of its cloud-based service offerings (eg., Exchange Online, SharePoint Online etc.), make sure that the following pre-requisites are fulfilled:
The eG agent should be deployed on a remote host running one of the following Windows versions:
- Windows Server 2016
- Windows Server 2019
- Windows 10
- Windows 8.1
- Windows Server 2012 or Windows Server 2012 R2
- Windows Server 2008 R2 SP1
- The Windows system hosting the remote agent should have internet connection.
- .NET 4.8 (or above) should pre-exist on the eG agent host.
- Windows Management Framework (WMF) 5.1.14 (or above) should be installed on the eG agent host
- Basic authentication for WinRM should be enabled on the eG agent host. This is because, the eG agent collects loads of metrics from Microsoft Office 365 by executing the cmdlets of the Exchange Online PowerShell V2 (EXO V2) module. Though this module uses modern authentication, an important pre-requisite of this module is to enable basic authentication for WinRM. Please note that the eG agent will not be able to collect metrics from the cmdlets of the EXO V2 module if the basic authentication for WinRM is disabled using a Group Policy on the eG agent host.
eG Enterprise provides proprietary PowerShell scripts, which you can run and have many of the pre-requisites for monitoring automatically fulfilled. These scripts and their purposes are discussed below:
O365_Step2_ModulesDwnldnInstall.ps1: This script automatically installs the following modules/packages that are required for monitoring Office 365 environments:
- A 64-bit version of the Microsoft Online Services Sign-in Assistant for IT Professionals RTW;
- A 64-bit version of the Microsoft Azure Active Directory Module for Windows PowerShell;
- Exchange Online Management Module, which is essential for monitoring Exchange Online;
- SharePoint Online Management Shell, which is key for monitoring SharePoint Online;
- Network Assessment Tool, which helps with Microsoft Teams / Skype for Business Online monitoring;
- Microsoft Teams Module, which is important for Microsoft Teams monitoring;
- Skype Online PowerShell module, which is imperative for Skype for Business Online monitoring
O365SetRolesAndpermissions.ps1: The eG agent runs Powershell cmdlets to pull many of the metrics related to Office 365 and its services. To run these cmdlets, the eG agent requires certain permissions. These permissions vary according to the Office 365 service being monitored (i.e., the monitoring model in use).
The table below describes these privileges:
Microsoft Office 365
A user who is vested with the View-Only Audit Logs permission
Microsoft Exchange Online
A user who is vested with the View-Only Audit Logs, View-Only Recipients, Mail Recipients, and Mail Import Export permissions
Microsoft SharePoint Online and Microsoft OneDrive for Business
A user who has been assigned the Service support admin and SharePoint admin roles and is vested with the View-Only Audit Logs permission
A user who has been assigned the Service support admin role and is vested with the View-Only Audit Logs and Team administrator permissions
A user who has been assigned the Service support admin role and is vested with the user_impersonation permission
Using the O365SetRolesAndpermissions.ps1 script, you can:
- Automatically create a user with the aforesaid permissions, or;
- Automatically assign these permissions to any existing user you choose
Also, to enable the eG agent to monitor service health, Message Center communications, and user activity, the Microsoft Graph App needs to be registered on Azure Active Directory (AD), with the following permissions:
- ServiceHealth.Read permission to the Office 365 Management APIs, which will allow the app to read the service health information for your organization;
- MyFiles.Read permission to the SharePoint API, which will allow the app to read from and write to user files;
- Sites.Read.All permission to the SharePoint API, which will allow the app to read items in all site collections;
- User.Read permission to the Azure Active Directory Graph API, which will allow the app to sign in and read the user profile;
- Group.Read.All permission to the Microsoft Graph API, which will allow the app to read all groups;
- User.Read.All permission to the Azure Active Directory Graph API, which will enable the app to read the full profile of all users;
- Reports.Read.All permission to the Microsoft Graph API, which will permit the app to read all usage reports;
- user_impersionation permission to the Microsoft Yammer API which will permit the app to read/write to the Yammer platform;
This script automatically registers a Microsoft Graph app on Microsoft Azure Active Directory, auto-configured with all the permissions required for monitoring.
This test pulls metrics using the Microsoft Graph API. Typically, tests that use Microsoft Graph API may not start reporting metrics right away. Sometimes, they may go without reporting metrics for over 48 hours. This is normal behavior, and it occurs because, Microsoft does not collect/refresh the metrics as frequently as the test executes.
To know how to use these scripts, refer to Using Powershell Scripts to Fulfill Requirements for Monitoring Office 365 and/or its Service Offerings
On the other hand, if you choose not to use the scripts above, then you have to manually fulfill each of the requirements described above. To know how, refer to How to Manually Fulfill Pre-requisites for Monitoring Office 365 Environments?.
The Office 365 monitoring account should not be 2FA/ MFA enabled.