How do I allow OpsCompass to do advanced Microsoft 365 analysis?

After connecting your account for basic Microsoft 365 monitoring and compliance analysis you have the option to provide a read only user that OpsCompass can use to monitor additional resources and policies. Follow these steps to grant access.

Overview of steps required: 

1.) Create a user with the “Global Reader” role in your tenant
2.) Log in as that user--to reset password on first login
3.) Provide OpsCompass the username and password
4.) Add our scanning host as a “Trusted IP” in your MFA settings (if needed)

1.) Create a user with the "Global Reader" Role in your tenant: 

1a.) Click on "Users" from your Azure Active Directory (Azure AD)

1 mfa-1

1b.) Click "New User"

Screen Shot 2020-03-04 at 4.34.43 PM

1c.) Enter a "User Name" (copy this user name for later use)

1d.) Click "Let me create the password" and enter a password (this will be changed on first log in - in a minute, but make sure you remember it!)

1e.) Assign the Role: "Global Reader" to the user

1f.) Click "Create"

1 create user

2.) Log in to with the new user and password

2a.) Using the user name that was just created log into Azure (

2b.) Enter the password from step 1 and if prompted, create a new password. (copy this new password for later use... if you are not promoted for a new password then continue to use the password created in step 1 above and ignore this step)

2 create user

3.) Navigate back to OpsCompass to provide the user name and password in order to initialize the advanced scan 

3a.) Paste in the user name created in step 1

3b.) Paste in the new password created in step 2

3c.) Click "Connect"

3 create user

4.) Add our scanning host as a “Trusted IP” if your company requires MFA -  this will allow OpsCompass the ability to access the new user. 

4a.) Click on "Users" from your Azure Active Directory (Azure AD)

1 mfa-1

4b.) Click on "Multi-Factor Authentication" 

2 mfa

4c.) Click on "service settings" (yes, that is actually a link!)  

3 mfa

4d.) Check the box to "Skip multi-factor authentication for requests from federated users on the internet"

4e.) Paste in the IP range used by OpsCompass:

4f.) Click "save"

4 mfa


OpsCompass will now begin scanning.

Please note that it can sometimes take Azure up to 30 minutes to implement the change in MFA setting from step 4 and OpsCompass will not be able to finalize the scan until that has taken place.