Office 365 Configuration
Integration of Microsoft Office 365 with the Binadox SaaS and IaaS usage monitoring and cost optimization platform allows you to get Office 365 spend and utilization insights and usage analysis of Office 365 features on a per-user basis, as well as to receive cost optimization recommendations. Additionally, if you have a single sign-on (SSO) method enabled, Binadox will discover applications used by employees in your enterprise that are authenticated to via SSO. The system will notify you of discovered applications available for integration with Binadox to receive their usage and spend data.
For Application Discovery with Office 365, you require Azure Active Directory Premium P1 or P2 licenses.
This guide provides step-by-step instructions on how to integrate Microsoft Office 365 with Binadox. To successfully connect Binadox with your Office 365 account, the following parameters are required: a Tenant domain, an Application ID and a Client Secret of an application registered with Azure Active Directory, and login credentials. For safety reasons, create a new user and assign him a restricted role with limited access to your Microsoft tenant. There are two options to generate the required parameters:
Option 1. Use Windows PowerShell. Download and unzip the script file. Run it using the PowerShell commands. PowerShell will automatically generate all the required parameters (see Clause 1 for step-by-step instructions).
Option 2. On the Microsoft Azure portal, register the Binadox application. In the Microsoft 365 admin center, create a new user to represent Binadox and assign him a restricted role with limited access to your Microsoft tenant (see Clause 2 for step-by-step instructions).
Cost optimization and usage monitoring are available only for paid Office 365 subscriptions.
Option 1. PowerShell
1.1 Change a PowerShell Execution Policy
1. Download the file. Extract the .ps1 file from the zipped file.
5. The default execution policy for Windows client computers is Restricted. To see the effective execution policy for the current session, use the
Get-ExecutionPolicy cmdlet. To allow running unsigned script files, change the Restricted execution policy into Unrestricted. Use the
Set-ExecutionPolicy Unrestricted cmdlet. Choose the Yes option by typing Y. Press Enter.
1.2 Run the Script
Make sure to extract the .ps1 file from the zipped file. Type
./Bin_v0.3.ps1 (the name of the downloaded file with the
./ prefix, with or without the .ps1 extension). Press Enter.
1.3 Install the NuGet Provider
In case the NuGet Provider has not been installed on your Windows computer, the prompt message will require you to do so. To allow the PowerShellGet module to install and import the NuGet provider, choose the Yes option by typing Y. Press Enter.
1.4 Copy Generated Parameters
1.5 Return the Default Execution Policy
Option 2. Azure AD and Microsoft 365 Admin Center
2.1 Register Binadox with Azure AD
To register Binadox with Azure Active Directory, you need a subscription to Office 365 and a subscription to Azure associated with the Office 365 subscription.
1. Sign in to the Microsoft Azure portal as a global administrator using credentials of your Microsoft tenant that has the subscription to Office 365 you wish to use for Binadox spend and usage optimization.
2. In the navigation pane on the left, click All services > Identity > Azure Active Directory. Use the search bar, if necessary.
4. Fill in the following fields in the registration form:
• Enter an application name in the Name field (e.g. Binadox).
• Check the Accounts in the organizational directory only checkbox in the Supported account types field.
• In the Redirect URI (optional) section, select Web in the drop-down list. Enter the following URL:
6. In the navigation pane, choose API permissions. Under API/Permissions name, click Microsoft Graph. On the Request API permissions page that opens, choose Delegated permissions, scroll down the permissions list and choose AuditLog. Select the AuditLog.Read.All checkbox. Then scroll down, choose Directory and select the Directory.Read.All checkbox. Choose User and select User.Read. Click Update permissions.
2.2 Add a New Office 365 User with Security Reader Permissions
For safety reasons, you may create a new user in the Microsoft 365 admin center and assign him a restricted role with limited access to your Microsoft tenant.
1. Sign in to the Microsoft 365 admin center as a global administrator.
3. Fill in all the required fields in the Add user form.
– Enter a display name and a username.
– Choose the required Password settings.
– Leave Require this user to change their password when they first sign in unchecked (so you do not have to log in to the Azure portal as a new user and create a new password to activate the account).
9. To specify the permission levels of the new user, click …Show all in the navigation pane on the left to open up the Admin centers section. Go to Security & Compliance.
10. You will be redirected to the Office 365 Security & Compliance dashboard. In the navigation pane on the left, click Permissions. Select the Security Reader check-box in the list of role group names. In the Security Reader view that opens on the right, go to Members and click Edit.
2.3 Disable Multi-Factor Authentication
Multi-Factor Authentication enabled for the user may disrupt the connection with Binadox. To disable it, do the following:
1. Log into the Microsoft Azure portal as a global administrator. In the navigation pane on the left, go to Azure Active Directory > Users.
3. You will be redirected to the Multi-Factor Authentication view. Put the tick mark next to the name of the required user. In the appeared menu to the right, click the Disable option in the Quick Steps section. Click Yes in the appeared window to confirm the action.
2.4 Locate Integration Data on the Azure Portal
1. To find the Tenant domain, Application ID and Client Secret, sign in to the Microsoft Azure portal as a global administrator. Navigate to Azure Active Directory.
2. To locate the Tenant domain, click Custom domain names. Copy your tenant domain from the Name field (e.g. organization.onmicrosoft.com). You may also hover the mouse pointer over the profile information at the top right corner of the menu bar to see the tenant domain.
3. To locate an Application (client) ID, click Azure Active Directory > App registrations in the navigation pane on the left. Click on the name of the Binadox application. To quickly locate it, type in its name in the search bar.
3. Create New Connection for Office 365 in Binadox
1. Log into your Binadox account.
2. In the navigation pane on the left, click Integrations. Proceed to the SaaS tab. Click on the Office 365 icon. To quickly locate Office 365 in the list of available applications, type in its name in the search bar or use an alphabetical filter by clicking on the first letter of an application name, i.e. O.
4. Fill in the required fields with parameters genereated automatically in PowerShell (see Clause 1 for step-by-step instructions) or manually on the Microsoft Azure portal and in the Microsoft 365 Admin Center (see Clause 2 for step-by-step instructions). Click Connect.
5. You will be redirected to the Microsoft login page.
Admin permissions are required to grant Binadox access to read usage and cost data in the account. For this purpose, log in with administrator credentials.