Documentation Index
Fetch the complete documentation index at: https://support.configview.com/llms.txt
Use this file to discover all available pages before exploring further.
Part 1: Microsoft 365 Data Ingestion
Set up a Microsoft 365 app so ConfigView can pull your Microsoft 365 data into the dashboard.
Step 1: Create an App or Token
This setup explains how to register and configure an application in Microsoft Entra ID (Azure AD).
- Retrieve your Tenant ID.
- Create a new App Registration in Azure AD for ConfigView.
- Create a Client Secret for the application and copy its value.
- Assign the required Read-Only permissions for Microsoft Graph APIs and Microsoft 365 data (Users, Groups).
- Grant admin consent for the selected permissions.
Step 2: Add the Token to ConfigView
- Go to your ConfigView dashboard:
https://{companyname}.configview.com/admin/secret/
- Click Add Secret
- Create the following secrets:
MICROSOFT_CLIENT_IDMICROSOFT_CLIENT_SECRETMICROSOFT_TENANT_ID
- Click Save
Step 3: Enable the Microsoft 365 App in ConfigView
- Go to:
https://{companyname}.configview.com/admin/cron/
- You should see Microsoft 365 in the list of available apps
- Select the scripts you want to run.
- Click Save
Step 4: Verify
- Go to:
https://{companyname}.configview.com/admin/status/
- Run the Microsoft 365 health check.
- All checks should pass.
If a check fails, verify that your secrets are saved correctly and the app has the required permissions.
Required Microsoft Graph Permissions
All permissions below are Application (app-only) permissions, used with the client credentials flow. After adding any permission, click Grant admin consent in the Azure portal.
Only add the permissions for the scripts you intend to enable. Some endpoints additionally require an Entra ID P2 license (noted below).
Core identity & inventory
| Script | Microsoft Graph permission |
|---|
microsoft_get_users | User.Read.All |
microsoft_get_guest_users | User.Read.All |
microsoft_get_groups | Group.Read.All |
microsoft_get_groups_info | Group.Read.All |
microsoft_get_apps | Application.Read.All |
microsoft_get_apps_info | Application.Read.All |
microsoft_get_enterprise_apps | Application.Read.All |
microsoft_get_devices | Device.Read.All |
microsoft_get_managed_devices | DeviceManagementManagedDevices.Read.All |
microsoft_get_organization | Organization.Read.All |
microsoft_get_domains | Domain.Read.All |
Tenant settings & policy
| Script | Microsoft Graph permission |
|---|
microsoft_get_authorization_policy | Policy.Read.All |
microsoft_get_auth_methods_policy | Policy.Read.All |
microsoft_get_security_defaults_policy | Policy.Read.All |
microsoft_get_cross_tenant_access_policy | Policy.Read.All |
microsoft_get_conditional_access_policies | Policy.Read.All |
microsoft_get_named_locations | Policy.Read.All |
Roles & PIM
| Script | Microsoft Graph permission |
|---|
microsoft_get_directory_roles | RoleManagement.Read.Directory |
microsoft_get_role_assignments | RoleManagement.Read.Directory |
microsoft_get_pim_eligibility | RoleManagement.Read.Directory (requires Entra ID P2) |
Licenses & billing
| Script | Microsoft Graph permission |
|---|
microsoft_get_subscriptions | Directory.Read.All |
microsoft_get_subscribed_skus | Organization.Read.All (or LicenseAssignment.Read.All) |
microsoft_get_user_license_details | User.Read.All (or LicenseAssignment.Read.All) |
Microsoft does not expose full invoice/payment billing through Graph. For invoices and usage charges, use the Microsoft 365 admin center or Partner Center APIs.
Mailboxes
| Script | Microsoft Graph permission |
|---|
microsoft_get_mailbox_settings | MailboxSettings.Read |
microsoft_get_message_rules | MailboxSettings.Read (or Mail.ReadBasic.All) |
OneDrive / SharePoint / external sharing
| Script | Microsoft Graph permission |
|---|
microsoft_get_user_drives | Files.Read.All (or Sites.Read.All) |
microsoft_get_sites | Sites.Read.All |
microsoft_get_site_permissions | Sites.FullControl.All (required to read site permissions) |
Audit & sign-ins
| Script | Microsoft Graph permission |
|---|
microsoft_get_directory_audits | AuditLog.Read.All |
microsoft_get_sign_ins | AuditLog.Read.All |
Security & identity protection
| Script | Microsoft Graph permission |
|---|
microsoft_get_security_alerts | SecurityAlert.Read.All |
microsoft_get_security_incidents | SecurityIncident.Read.All |
microsoft_get_secure_scores | SecurityEvents.Read.All |
microsoft_get_secure_score_control_profiles | SecurityEvents.Read.All |
microsoft_get_risky_users | IdentityRiskyUser.Read.All (requires Entra ID P2) |
microsoft_get_risk_detections | IdentityRiskEvent.Read.All (requires Entra ID P2) |
microsoft_get_user_auth_methods | UserAuthenticationMethod.Read.All |
Teams & communications
| Script | Microsoft Graph permission |
|---|
microsoft_get_teams | Team.ReadBasic.All |
microsoft_get_team_channels | Channel.ReadBasic.All |
microsoft_get_chats | Chat.Read.All |
microsoft_get_call_records | CallRecords.Read.All |
Intune device policies
| Script | Microsoft Graph permission |
|---|
microsoft_get_device_compliance_policies | DeviceManagementConfiguration.Read.All |
microsoft_get_device_configurations | DeviceManagementConfiguration.Read.All |
After granting any new permissions in Azure AD, restart the satellite (or wait for the next cron run) — tokens are cached per script invocation and will pick up the new scopes on the next run.
Data Tables
Once the scripts run, the corresponding Microsoft 365 tables will be created in your database. All tables include a run_at column for historical tracking.
