If you want to use the M365Permissions module in unattended (or headless) mode, e.g. from a runbook or on a server as scheduled task, you’ll need to create an app registration in Entra with sufficient permissions to scan your tenant.
Setup instructions (automated)
- Install the module using
Install-Module-NameM365Permissions-Force - Load the module using
Import-Module-NameM365Permissions - Create a service principal using
Set-ScanPermissions -switchToSPNAuth -appName "M365Permissions (AppOnly)" - Run
Connect-M365 -ServicePrincipal - Start a scan (e.g. using
get-allM365Permissions) - Scroll down if you also want to scan PowerBI
Setup instructions (manual)
- Go to https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false
- Decide on a name and click Register
- Go to API permissions and enter as follows:
- Don’t forget to click ‘Grant admin consent’
- Note down the ‘Application (client) id’ and ‘Directory (tenant) id’ from the ‘Overview’ page
- run the new-SpnAuthCert command from the M365Permissions module, it will output a .cer file. Make sure to use the tenant ID from step 5.
- The PFX file has to be imported on any machine you wish to run the module on, except for the machine where you ran the new-SpnAuthCert command.
- Go to ‘Certificates & secrets’ and upload the .cer file
- Go to the Roles and Administrators in Entra and select the Global Administrator role.
- Add the new app registration to the global administrator role:
- Run set-M365PermissionsConfig -LCTenantId <tenant ID> -LCClientId <client id> with the values from step 5 to configure the module to use your new SPN to log in.
- Alternatively, you can configure the LCTENANTID and LCCLIENTID environment variables with above information.
- If you also configure the LCAUTHMODE environment variable with a value of “ServicePrincipal”, the module will log in to your tenant fully automatically the moment it is imported.
- If you’re running interactively, you can now use connect-M365 -ServicePrincipal before running a scan to use the SPN instead of delegated authentication
Scanning PowerBI
If you also want to include PowerBI in your scans, you’ll have to authorize the service principal.
PFX certificate location
If you want to run from an automation account, Azure function etc, for now you’ll have to retrieve the .pfx file dynamically and install it before the module loads because the module looks in the local certificate store for a certificate with your tenant ID as subject.
I will consider adding support for Managed Identities in the future to make this simpler, and possibly also add keyvault integration or direct path configuration an option.
Restrictions
When scanning as service principal, you cannot scan:
- Graph Subscriptions
- PowerBI Gateways
You’ll see a warning in the logs about this as they’ll automatically be excluded.
Setup instructions (automated)
to be added in a future version
