> ## Documentation Index
> Fetch the complete documentation index at: https://support.configview.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft 365 setup

## Part 1: Microsoft 365 Data Ingestion

Set up a Microsoft 365 app so ConfigView can pull your Microsoft 365 data into the dashboard.

***

### Step 1: Create an App or Token

This setup explains how to register and configure an application in **Microsoft Entra ID (Azure AD)**.

1. Retrieve your Tenant ID.
2. Create a new App Registration in Azure AD for ConfigView.
3. Create a Client Secret for the application and copy its value.
4. Assign the required Read-Only permissions for Microsoft Graph APIs and Microsoft 365 data (Users, Groups).
5. Grant admin consent for the selected permissions.

***

### Step 2: Add the Token to ConfigView

1. Go to your ConfigView dashboard: `https://{companyname}.configview.com/admin/secret/`
2. Click **Add Secret**
3. Create the following secrets:
   * `MICROSOFT_CLIENT_ID`
   * `MICROSOFT_CLIENT_SECRET`
   * `MICROSOFT_TENANT_ID`
4. Click **Save**

***

### Step 3: Enable the Microsoft 365 App in ConfigView

1. Go to: `https://{companyname}.configview.com/admin/cron/`
2. You should see **Microsoft 365** in the list of available apps
3. Select the scripts you want to run.
4. Click **Save**

***

### Step 4: Verify

1. Go to: `https://{companyname}.configview.com/admin/status/`
2. Run the **Microsoft 365** health check.
3. All checks should pass.

If a check fails, verify that your secrets are saved correctly and the app has the required permissions.

***

### Required Microsoft Graph Permissions

All permissions below are **Application** (app-only) permissions, used with the client credentials flow. After adding any permission, click **Grant admin consent** in the Azure portal.

Only add the permissions for the scripts you intend to enable. Some endpoints additionally require an **Entra ID P2** license (noted below).

#### Core identity & inventory

| Script                          | Microsoft Graph permission                |
| ------------------------------- | ----------------------------------------- |
| `microsoft_get_users`           | `User.Read.All`                           |
| `microsoft_get_guest_users`     | `User.Read.All`                           |
| `microsoft_get_groups`          | `Group.Read.All`                          |
| `microsoft_get_groups_info`     | `Group.Read.All`                          |
| `microsoft_get_apps`            | `Application.Read.All`                    |
| `microsoft_get_apps_info`       | `Application.Read.All`                    |
| `microsoft_get_enterprise_apps` | `Application.Read.All`                    |
| `microsoft_get_devices`         | `Device.Read.All`                         |
| `microsoft_get_managed_devices` | `DeviceManagementManagedDevices.Read.All` |
| `microsoft_get_organization`    | `Organization.Read.All`                   |
| `microsoft_get_domains`         | `Domain.Read.All`                         |

#### Tenant settings & policy

| Script                                      | Microsoft Graph permission |
| ------------------------------------------- | -------------------------- |
| `microsoft_get_authorization_policy`        | `Policy.Read.All`          |
| `microsoft_get_auth_methods_policy`         | `Policy.Read.All`          |
| `microsoft_get_security_defaults_policy`    | `Policy.Read.All`          |
| `microsoft_get_cross_tenant_access_policy`  | `Policy.Read.All`          |
| `microsoft_get_conditional_access_policies` | `Policy.Read.All`          |
| `microsoft_get_named_locations`             | `Policy.Read.All`          |

#### Roles & PIM

| Script                           | Microsoft Graph permission                               |
| -------------------------------- | -------------------------------------------------------- |
| `microsoft_get_directory_roles`  | `RoleManagement.Read.Directory`                          |
| `microsoft_get_role_assignments` | `RoleManagement.Read.Directory`                          |
| `microsoft_get_pim_eligibility`  | `RoleManagement.Read.Directory` *(requires Entra ID P2)* |

#### Licenses & billing

| Script                               | Microsoft Graph permission                                  |
| ------------------------------------ | ----------------------------------------------------------- |
| `microsoft_get_subscriptions`        | `Directory.Read.All`                                        |
| `microsoft_get_subscribed_skus`      | `Organization.Read.All` *(or `LicenseAssignment.Read.All`)* |
| `microsoft_get_user_license_details` | `User.Read.All` *(or `LicenseAssignment.Read.All`)*         |

> Microsoft does not expose full invoice/payment billing through Graph. For invoices and usage charges, use the Microsoft 365 admin center or Partner Center APIs.

#### Mailboxes

| Script                           | Microsoft Graph permission                         |
| -------------------------------- | -------------------------------------------------- |
| `microsoft_get_mailbox_settings` | `MailboxSettings.Read`                             |
| `microsoft_get_message_rules`    | `MailboxSettings.Read` *(or `Mail.ReadBasic.All`)* |

#### OneDrive / SharePoint / external sharing

| Script                           | Microsoft Graph permission                                    |
| -------------------------------- | ------------------------------------------------------------- |
| `microsoft_get_user_drives`      | `Files.Read.All` *(or `Sites.Read.All`)*                      |
| `microsoft_get_sites`            | `Sites.Read.All`                                              |
| `microsoft_get_site_permissions` | `Sites.FullControl.All` *(required to read site permissions)* |

#### Audit & sign-ins

| Script                           | Microsoft Graph permission |
| -------------------------------- | -------------------------- |
| `microsoft_get_directory_audits` | `AuditLog.Read.All`        |
| `microsoft_get_sign_ins`         | `AuditLog.Read.All`        |

#### Security & identity protection

| Script                                        | Microsoft Graph permission                            |
| --------------------------------------------- | ----------------------------------------------------- |
| `microsoft_get_security_alerts`               | `SecurityAlert.Read.All`                              |
| `microsoft_get_security_incidents`            | `SecurityIncident.Read.All`                           |
| `microsoft_get_secure_scores`                 | `SecurityEvents.Read.All`                             |
| `microsoft_get_secure_score_control_profiles` | `SecurityEvents.Read.All`                             |
| `microsoft_get_risky_users`                   | `IdentityRiskyUser.Read.All` *(requires Entra ID P2)* |
| `microsoft_get_risk_detections`               | `IdentityRiskEvent.Read.All` *(requires Entra ID P2)* |
| `microsoft_get_user_auth_methods`             | `UserAuthenticationMethod.Read.All`                   |

#### Teams & communications

| Script                        | Microsoft Graph permission |
| ----------------------------- | -------------------------- |
| `microsoft_get_teams`         | `Team.ReadBasic.All`       |
| `microsoft_get_team_channels` | `Channel.ReadBasic.All`    |
| `microsoft_get_chats`         | `Chat.Read.All`            |
| `microsoft_get_call_records`  | `CallRecords.Read.All`     |

#### Intune device policies

| Script                                     | Microsoft Graph permission               |
| ------------------------------------------ | ---------------------------------------- |
| `microsoft_get_device_compliance_policies` | `DeviceManagementConfiguration.Read.All` |
| `microsoft_get_device_configurations`      | `DeviceManagementConfiguration.Read.All` |

> After granting any new permissions in Azure AD, restart the satellite (or wait for the next cron run) — tokens are cached per script invocation and will pick up the new scopes on the next run.

***

### Data Tables

Once the scripts run, the corresponding Microsoft 365 tables will be created in your database. All tables include a `run_at` column for historical tracking.
