How do I allow OpsCompass to do advanced Microsoft 365 analysis?

After connecting your account for basic Microsoft 365 monitoring and compliance analysis you have the option to provide a read only user that OpsCompass can use to monitor additional resources and policies. Follow these steps to grant access.

Overview of steps required: 

1.) Create a user with the “Global Reader” role in your tenant
2.) Log in as that user--to reset password on first login
3.) Provide OpsCompass the username and password
4.) Add our scanning host as a “Trusted IP” in your MFA settings (if needed)


1.) Create a user with the "Global Reader" Role in your tenant: 

1a.) Click on "Users" from your Azure Active Directory (Azure AD)

1 mfa-1

1b.) Click "New User"

Screen Shot 2020-03-04 at 4.34.43 PM

1c.) Enter a "User Name" (copy this user name for later use)

1d.) Click "Let me create the password" and enter a password (this will be changed on first log in - in a minute, but make sure you remember it!)

1e.) Assign the Role: "Global Reader" to the user

1f.) Click "Create"

1 create user


2.) Log in to portal.azure.com with the new user and password

2a.) Using the user name that was just created log into Azure (portal.azure.com)

2b.) Enter the password from step 1 and if prompted, create a new password. (copy this new password for later use... if you are not promoted for a new password then continue to use the password created in step 1 above and ignore this step)

2 create user


3.) Navigate back to OpsCompass to provide the user name and password in order to initialize the advanced scan 

3a.) Paste in the user name created in step 1

3b.) Paste in the new password created in step 2

3c.) Click "Connect"

3 create user


4.) Add our scanning host as a “Trusted IP” if your company requires MFA -  this will allow OpsCompass the ability to access the new user. 

4a.) Click on "Users" from your Azure Active Directory (Azure AD)

1 mfa-1

4b.) Click on "Multi-Factor Authentication" 

2 mfa

4c.) Click on "service settings" (yes, that is actually a link!)  

3 mfa

4d.) Check the box to "Skip multi-factor authentication for requests from federated users on the internet"

4e.) Paste in the IP range used by OpsCompass: 168.61.182.210/32

4f.) Click "save"

4 mfa

 

OpsCompass will now begin scanning.

Please note that it can sometimes take Azure up to 30 minutes to implement the change in MFA setting from step 4 and OpsCompass will not be able to finalize the scan until that has taken place.