Skip to main content

Microsoft 365 Integration

tip

This guide should only be performed once per Microsoft 365 Tenant.
The App Registration should be created in the same tenant where your Microsoft 365 licenses are managed.

important

In order to allow Microsoft 365 License optimization, you must grant admin consent for all the permissions listed in Step 2 below - including Directory.Read.All, Agreement.Read.All, AuditLog.Read.All, Reports.Read.All, Sites.Read.All, TermStore.Read.All, DeviceManagementApps.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementServiceConfig.Read.All, eDiscovery.Read.All, InformationProtectionPolicy.Read, and SecurityEvents.Read.All.

This guide will walk you through the process of creating an Azure App Registration for Chronom's M365 integration in your Azure Tenant.

Prerequisites

In order to create a new Azure App Registration, you need the following prerequisites:

  • An Active Azure Tenant.
  • The following permissions Microsoft Entra ID Permissions:
    • microsoft.directory/applications/createAsOwner
    • microsoft.directory/oAuth2PermissionGrants/createAsOwner
    • microsoft.directory/servicePrincipals/createAsOwner
    • microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin (the listed permissions are part of the Application Administrator role)
  • If you have Conditional Access Policies enabled, you need to ensure that the App Registration can bypass the policies.
    (Please contact our support for more information)

Step 1: Create the App Registration

  1. Browse to the Application Registration Creation page in the Azure Portal.
    (Make sure you are logged in to the correct Azure Tenant)

    tip

    If the link does not work, you can navigate to the Entra ID service and click on the App registrations section inside Azure Portal,
    then click on the + New registration button.

  2. Fill in the following details:

    • Name: Chronom Read-Only App Registration
    • Supported account types: Accounts in this organizational directory only (Microsoft only - Single tenant)
    • Redirect URI:
      • Platform: web
      • URI: https://app.chronom.ai
    • Click on the Register button.

    Create App Registration

  3. Once the App Registration is created, take note of the following details:

    • Application (client) ID
    • Directory (tenant) ID

    App Registration Details

    note

    After the initial creation, an enterprise application is created automatically. To configure API permissions and client secrets, you need to navigate to the App Registration. You can find it by going to Entra IDApp registrationsChronom Read-Only App Registration, or by staying on the current page after registration.

Step 2: Configure API Permissions

  1. Navigate to the API permissions section under the Manage on the left-hand side menu.

    API Permissions

  2. Click on the + Add a permission button and select Microsoft Graph from the list of APIs.

    Add Microsoft Graph Permission

  3. First, add the Delegated permission. Select Delegated permissions, search for User.Read, select it under the User category, and click Add permissions.

    Select Delegated Permissions

  4. Next, add all Application permissions. For each permission in the list below, repeat these steps:

    • Click + Add a permission → select Microsoft Graph → select Application permissions
    • Search for the permission name, select it, and click Add permissions

    Select Application Permissions

    Add the following Application permissions:

    #PermissionCategoryPurpose
    1Directory.Read.AllDirectoryRead directory data for license mapping
    2Agreement.Read.AllPolicyRead organizational agreements
    3AuditLog.Read.AllAuditLogsRead audit log data
    4Reports.Read.AllReportsRead usage reports for license optimization
    5Sites.Read.AllSitesRead SharePoint site metadata
    6TermStore.Read.AllTermStoreRead term store data
    7DeviceManagementApps.Read.AllDeviceManagementAppsRead Intune app deployments
    8DeviceManagementConfiguration.Read.AllDeviceManagementConfigurationRead Intune configuration profiles
    9DeviceManagementManagedDevices.Read.AllDeviceManagementManagedDevicesRead Intune managed device inventory
    10DeviceManagementServiceConfig.Read.AllDeviceManagementServiceConfigRead Intune service configuration
    11eDiscovery.Read.AlleDiscoveryRead eDiscovery cases and holds
    12InformationProtectionPolicy.ReadInformationProtectionPolicyRead sensitivity labels and policies
    13SecurityEvents.Read.AllSecurityEventsRead security alerts from Defender
    tip

    You can add multiple permissions in a single pass: after clicking + Add a permissionMicrosoft GraphApplication permissions, search and check several permissions before clicking Add permissions. This is faster than adding them one at a time.

  5. After adding all permissions, your API permissions list should show 1 Delegated permission and 13 Application permissions - all under Microsoft Graph.

Do Not Skip - Grant Admin Consent

After adding all permissions, you must click the Grant admin consent for <Your Tenant> button at the top of the permissions list, then confirm by clicking Yes.

Grant Admin Consent

Without this step, none of the permissions will take effect. The Status column for each permission must show a green checkmark with "Granted for <Your Tenant>" - not a yellow warning icon. If you see warning icons, admin consent has not been granted.

This is the most commonly missed step during onboarding. Please verify the status of every permission before proceeding.

Step 3: Generate Client Secret

  1. Navigate to the Certificates & secrets section under the Manage on the left-hand side menu.

    Certificates &amp; Secrets

  2. Click on the + New client secret button under the Client secrets tab and fill in the following details:

    • Description: Chronom Read-Only Secret
    • Expires: 730 days (24 months)
    • Click on the Add button.

    Create Client Secret

  3. Once the secret is created, take note of the Value as it will be used to authenticate the App Registration in Chronom.

    danger

    Handle with Extreme Care!
    Client Secret is considered a highly sensitive credential.
    Make sure to store it in a secure location and only share it via Chronom's Integrations Page.
    Chronom will never ask you for your Client Secret via email or any other communication channel.
    Do not share your Client Secret with anyone else.

    note

    The Client Secret is only displayed once after creation.

    Client Secret Value

Step 4: Connect to Chronom

  1. On a new tab, navigate to Chronom's Integrations Page and click on the + Add a new Tenant button.

    Add New Tenant

  2. Fill in the details and click on the Save button:

    • Tenant Name: The name of the Azure Tenant where the App Registration was created.
    • Tenant ID: The Directory (tenant) ID of the App Registration.
    • Application ID: The Application (client) ID of the App Registration.
    • Client Secret: The Value of the Client Secret created in the previous step.

    Add Tenant Details

Complete Scripts

For convenience, here are the complete scripts that combine all steps above.

The Azure Portal method does not have a combined script. Please follow the step-by-step instructions above.

Next Steps

After adding your Azure Tenant and saving the details, Chronom will begin scanning your Microsoft 365 environment for license optimization opportunities.