Pre-requisites for Monitoring Office 365 Environments where Modern Authentication is Enabled

If Modern Authentication is enabled in your environment, then the following pre-requisites apply:

1. The following modules/packages are required on the eG agent host:

   • A 64-bit version of the Microsoft Online Services Sign-in Assistant for IT Professionals RTW;
   • A 64-bit version of the Microsoft Azure Active Directory Module for Windows PowerShell;
   • Exchange Online Management Module, which is essential for monitoring Exchange Online;
   • SharePoint Online Management Shell, which is key for monitoring SharePoint Online;
   • Network Assessment Tool, which helps with Microsoft Teams / Skype for Business Online monitoring;
   • Microsoft Teams Module, which is important for Microsoft Teams monitoring;

   You can manually install these modules/packages on the eG agent host. To know how, refer to the Manually Installing Packages/Modules Required for Monitoring Office 365 Environmentstopic.

   Alternatively, you can use the proprietary PowerShell script that eG Enterprise provides to automatically install the above-mentioned modules/packages on the eG agent host. To know which script to use and how, refer to theAutomatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environmenttopic.

2. Where modern authentication is enabled, to ensure secure communication between the eG agent and the monitored Office 365 tenant using, you need to enable Certificate-based authentication for that Office 365 tenant. In Certificate-based authentication, a Digital Certificate is used to identify a user, machine, or device before granting access to a resource, network, application, etc. eG Enterprise supports Azure AD certificate-based authentication. Azure AD certificate-based authentication (CBA) requires users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. By enabling certificate-based authentication for an Office 365 tenant, you can have the eG agent access that tenant and its resources, by identifying itself using an X.509 certificate.

   You can either manually enable certificate-based authentication for a tenant, via the Office 365 portal, or can do it automatically, using Powershell scripts that eG provides. For the manual procedure, refer to the Manually Enabling Certificate-based Authentication For an Office 365 Tenanttopic. To know how to achieve the same automatically, refer to the Automatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environmenttopic.

3. Some of the tests executed by the eG agent may use modern authentication to connect to Office 365, but may emulate user operations (using Microsoft Graph API) or mock a user's browser access for metrics collection. Such tests are as follows:

   Component Name	Tests
   Domain - Microsoft Teams, Microsoft Teams	Audio Streams, Video Streams, VBSS Streams, Feedback Summary, Calls Summary, Network Quality, Teams Operations, Chat Operations, Channel Operations
   Microsoft Exchange Online	Calendar Event Operations
   Microsoft Yammer	Yammer Logon Status, Yammer Operations
   O365 Synthetic Monitor	Teams Operations, Chat Operations, Channel Operations, Calendar Event Operations, Yammer Operations
   O365 Mail Sender, O365 Mail Receiver	O365 Mail Sender, O365 Mail Receiver

   Because they support modern authentication, these tests will not need user credentials for connecting to Office 365. Once certificate-based authentication is enabled, the tests will be able to connect to Office 365 using just the tenant ID. However, after the connection is established, the tests will be able to gather the required metrics only if certain additional pre-requisites are fulfilled. The tests, their additional requirements, and how to fulfill these requirements, are described in the table below:

   Tests	Additional Pre-requisite	How to Fulfill Pre-requisite?
   Teams Operations, Chat Operations, Channel Operations, Calendar Event Operations, Yammer Logon Status, Yammer Operations	The Microsoft GraphApp needs to be registered on Azure Active Directory (AD), with the permissions listed in step 3 of the Pre-requisites for Monitoring Office 365 Environments where Basic Authentication is Enabled topic.	Use the proprietary PowerShell script that eG Enterprise provides to automatically register a Microsoft Graph app on Microsoft Azure Active Directory, and auto-configure the app with all the permissions required for monitoring. Refer the Automatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environment topic for more details; (OR) Manually register a Microsoft Graph App and assign required permissions to it, using the procedure described in the Registering the Microsoft Graph App On Microsoft Azure Active Directorytopic
   Audio Streams, Video Streams, VBSS Streams, Feedback Summary, Calls Summary, Network Quality,	These tests need the credentials of a user who is assigned a valid Office 365 license with Microsoft Teams subscription and Exchange Online Mailbox subscription.	Use eG's proprietary PowerShell script to automatically create a new user account on Office 365, and assign the required license to that user. Refer to the Automatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environmenttopic for more details; (OR) Use eG's proprietary PowerShell script to automatically assign the required license to an existing Office 365 user account. Refer to the Automatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environment topic for more details; (OR) Manually create a new user on Office 365, and assign the license to him/her; (OR) Identify an existing Office 365 user who is already assigned the required license, and configure the tests with the credentials of that user.
   O365 Mail Sender, O365 Mail Receiver	These tests need a valid sender and receiver mail box (as the case may be); even a password is not required. The Microsoft GraphApp needs to be registered on Azure Active Directory (AD), with the permissions listed in step 3 of the Pre-requisites for Monitoring Office 365 Environments where Basic Authentication is Enabled topic .	To fulfill the first requirement: Manually create a new sender and receiver mailbox on Exchange Online, for monitoring purposes; (OR) Use existing mailboxes as a sender and a receiver for monitoring purposes; To fulfill the second requirement: Use the proprietary PowerShell script that eG Enterprise provides to automatically register a Microsoft Graph app on Microsoft Azure Active Directory, and auto-configure the app with all the permissions required for monitoring. Refer the Automatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environment topic for more details; (OR) Manually register a Microsoft Graph App and assign required permissions to it, using the procedure described in the Registering the Microsoft Graph App On Microsoft Azure Active Directorytopic Use a proprietary PowerShell script to automatically allow the registered Microsoft Graph App access to specific mailboxes alone; refer the Automatically Limiting MS Graph App's Mailbox Access topic for more details; (OR) Manually allow the registered Microsoft Graph App's access to specific mailboxes alone refer theManually Limiting MS Graph App's Mailbox Access topic for more details;

4. In addition to the above, the tests that use the Microsoft Graph API will run and report metrics, only if the following files are available on the eG agent host:

   • Microsoft.IdentityModel.Clients.ActiveDirectory.dll

   • Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll

   • Microsoft.IdentityModel.Clients.ActiveDirectory.Platform

   • Microsoft.IdentityModel.Clients.ActiveDirectory

   To make these files available to the eG agent, follow the steps detailed in point 4 of the Pre-requisites for Monitoring Office 365 Environments where Basic Authentication is Enabled topic.