Pre-requisites for Monitoring Office 365 Environments where Basic Authentication is Enabled

If Basic Authentication is enabled in your environment, then the following pre-requisites apply:

  1. The following modules/packages are required on the eG agent host:

    • A 64-bit version of the Microsoft Online Services Sign-in Assistant for IT Professionals RTW;
    • A 64-bit version of the Microsoft Azure Active Directory Module for Windows PowerShell;
    • Exchange Online Management Module, which is essential for monitoring Exchange Online;
    • SharePoint Online Management Shell, which is key for monitoring SharePoint Online;
    • Network Assessment Tool, which helps with Microsoft Teams / Skype for Business Online monitoring;
    • Microsoft Teams Module, which is important for Microsoft Teams monitoring;

    You can manually install these modules/packages on the eG agent host. To know how, refer to theManually Installing Packages/Modules Required for Monitoring Office 365 Environmentstopic.

    Alternatively, you can use the proprietary PowerShell script that eG Enterprise provides to automatically install the above-mentioned modules/packages on the eG agent host. To know which script to use and how, refer to theAutomatically Fulfilling Pre-requisites in a Basic Authentication-Enabled Environmenttopic.

  2. The eG agent runs Powershell cmdlets to pull many of the metrics related to Office 365 and its services. The eG agent requires certain permissions to run these cmdlets. These permissions vary according to the Office 365 service being monitored (i.e., the monitoring model in use).

    The table below describes these privileges:

    Monitoring model

    Permissions

    Microsoft Office 365

    A user who is vested with the View-Only Audit Logs permission

    Microsoft Exchange Online

    A user who is vested with the View-Only Audit Logs, View-Only Recipients, Mail Recipients, and Mailbox Import Export permissions

    Microsoft SharePoint Online and Microsoft OneDrive for Business

    A user who has been assigned the Service support admin and SharePoint admin roles and is vested with the View-Only Audit Logs permission

    Microsoft Teams

    A user who has been assigned the Service support admin role and is vested with the View-Only Audit Logs and Team administrator permissions

    To run tests that use Webhooks for collecting call quality analytics, a user who is assigned the User.Read.All Delegated Permission and the CallRecords.Read.All Application Permission, is required.

    Microsoft Yammer

    A user who has been assigned the Service support admin role and is vested with the user_impersonation permission

    You can manually create a new user in Office 365 and assign all the aforesaid permissions to that user, or can simply pick an existing user and grant him/her the permissions mentioned above. The procedure to achieve this manually are detailed in theCreating a New User in the Office 365 Portaltopic.

    Alternatively, you can use the proprietary Powershell script that eG Enterprise provides for this purpose. The script can be used to automatically create a new user and instantly assign the requisite permissions to that user, or grant the permissions to an existing user in a click. To know what script to use and how to use it, refer to theAutomatically Fulfilling Pre-requisites in a Basic Authentication-Enabled Environmenttopic.

  3. To enable the eG agent to monitor service health, Message Center communications, channels, chats, Teams communication, Yammer, and user activity, the Microsoft GraphApp needs to be registered on Azure Active Directory (AD), with the permissions listed in the table below:

    Permission Type

    API 

    Permissions

    Purpose

    Application Permissions

     

     

     

    Microsoft Graph 

     

     

     

    Calendars.ReadWrite

    Allows app to read and write calendars in all mailboxes

    Reports.Read.All

    Allows app to read all usage reports

    ServiceHealth.Read.All

    Allows app to read service health

    ServiceMessage.Read.All

    Allows app to read service messages

    User.Read.All

    Allows app to read the full profile of all users

    Mail.ReadWrite

    Allows app to read and write mail in all mailboxes

    Mail.Send

    Allows app to send mail as any user

    Channel.ReadBasic.All

    Allows app to read all channel names and channel descriptions, without a signed-in user

    Delegated Permissions

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Microsoft Graph

     

     

     

     

     

     

     

     

     

     

     

     

    Channel.Create

    Allows app to create channels

    ChannelMember.ReadWrite.All

    Allows app to add and remove channel members

    ChannelMessage.Read.All

    Allows app to read user channel messages

    ChannelMessage.Send

    Allows app to send channel messages

    ChannelSettings.ReadWrite.All

    Allows app to read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user.

    Chat.Create

    Allows app to create chats

    Chat.ReadWrite

    Allows app to read and write user chat messages

    ChatMember.ReadWrite

    Allows app to add and remove chat members

    ChatMessage.Send

    Allows app to send user chat messages

    Directory.ReadWrite.All

    Allows app to read and write data in your organization's directory, such as users, and groups

    Team.Create

    Allows app to create teams

    TeamMember.ReadWrite.All

    Allows app to add and remove members from teams, on behalf of the signed-in user.

    TeamSettings.ReadWrite.All

    Allows app to read and change all teams' settings, on behalf of the signed-in user.

    User.Read.All

    Allows app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

    Microsoft Yammer API

     

    access_as_user

    Allows app to read/write to the Yammer platform

    user_impersonation

     

    eG Enterprise provides a proprietary Powershell script, which will automatically register a Microsoft Graph app on Microsoft Azure Active Directory, and auto-configure the app with all the permissions required for monitoring.

    To know how to use this script, refer to theAutomatically Fulfilling Pre-requisites in a Basic Authentication-Enabled Environment topic.

    On the other hand, if you choose not to use the script, then you have to manually fulfill each of the requirements described above. To know how, refer to theRegistering the Microsoft Graph App On Microsoft Azure Active Directorytopic.

    Note:

    Typically, tests that use Microsoft Graph API may not start reporting metrics right away. Sometimes, they may go without reporting metrics for over 48 hours. This is normal behavior, and it occurs because, Microsoft does not collect/refresh the metrics as frequently as the tests execute.

  4. In addition to the above, the tests that use the Microsoft Graph API will run and report metrics, only if the following files are available on the eG agent host:

    • Microsoft.IdentityModel.Clients.ActiveDirectory.dll

    • Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll

    • Microsoft.IdentityModel.Clients.ActiveDirectory.Platform

    • Microsoft.IdentityModel.Clients.ActiveDirectory

    To make these files available to the eG agent, do the following:

    1. Login to the eG agent host.

    2. Open a browser and then access the following Sharefile site: https://www.eginnovations.com/releases/v7210/

    3. Open the Supporting Files folder therein, and then open the Azure AD for O365 sub-folder within. Figure 1 will then appear listing the files that the eG agent requires for running the tests that use the Microsoft Graph API.

      Figure 1 : Supporting Files for Office 365 monitoring

    4. Download all the files displayed in Figure 1 to any location on the eG agent host.

    5. Then, copy the downloaded files to the C:\Program Files\WindowsPowerShell\Modules\AzureAD\2.0.2.182\ folder on the eG agent host.

    6. Once the files are successfully copied, check if they are blocked. If so, unblock them. To unblock, follow the steps below:

      • Open Windows Explorer and navigate to the C:\Program Files\WindowsPowerShell\Modules\AzureAD\2.0.2.182\ folder.

      • Right-click on any of the files in that folder, and select the Properties option from the shortcut menu that pops up.

      • Figure 2 will then appear.

        Figure 2 : Unblocking a file

      • To unblock the chosen file, select the Unblock check box in the Security section of Figure 2.

      • Finally, click the OK button in Figure 2 to save the changes.

      • Repeat steps 2-5 for each of the files in that folder.

  5. The Office 365 monitoring account should not be 2FA/ MFA enabled. This is because, the eG agent does not support 2FA/MFA presently.