What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How do I obtain credentials and set permissions for the Microsoft 365 Mailbox sensor?

Votes:

0

I want to set up the Microsoft 365 Mailbox sensor to monitor my Microsoft 365 mailbox. For this sensor to work, I have to define credentials for Microsoft 365 in my PRTG installation and set permissions for Microsoft Graph.

Where do I get these credentials? How do I set the required permission?

api azure credentials microsoft-365 office-365 permissions prtg

Created on Jul 6, 2022 1:47:32 PM



6 Replies

Accepted Answer

Votes:

0

This article applies as of PRTG 22

Important: If you want to use the Microsoft 365 Service Status sensor or the Microsoft 365 Service Status Advanced sensor, see How do I obtain credentials and set permissions for the Microsoft 365 Service Status sensors?

Credentials for Microsoft 365 and permissions for Microsoft Graph

Before you can set up the Microsoft 365 Mailbox sensor, you need to define credentials for Microsoft 365 in the settings of a parent object.

The credentials you need are the Tenant ID, the Client ID, and the Client Secret. You obtain the credentials in the Microsoft Azure Portal or through the Microsoft Entra admin center. There you can also set the permission that the Microsoft 365 Mailbox sensor requires to read data from Microsoft Graph.

The following step-by-step guide shows you how to obtain the necessary credentials and how to set the required API permission.

Log in to the Microsoft Azure Portal and follow the steps below:

  • Step 1: Get the client ID and the tenant ID
  • Step 2: Get the client secret
  • Step 3: Set the permission for Microsoft Graph

Step 1: Get the client ID and the tenant ID

Take the following steps to register your application with Microsoft Entra ID to be assigned a client ID. You can use either the Azure Portal or the Microsoft Entra admin portal. The only difference is how you navigate to App registrations:

Using the Azure Portal: Open Microsoft Entra ID in the Microsoft Azure Portal and go to the App registrations tab.

Using the Microsoft Entra admin center: Go to the App registrations tab under Applications.

  1. Click New registration to open the Register an application dialog.
    App Registrations Tab
    Click to enlarge.
  2. Under Redirect URI (optional), select Web and enter the DNS name or IP address of your PRTG web server according to the following pattern: https://yourprtgserver/ms365.htm
    For more information, see the PRTG Manual: Microsoft 365 Mailbox sensor.

    Note: There are specific rules for the redirect URI.

    Register Application Dialog
    Click to enlarge.
  3. Click Register to register the new application.
  4. The Overview tab of the newly registered application opens.
  5. Copy the Application (client) ID and the Directory (tenant) ID and enter them in the credentials for Microsoft 365 section in the settings of the device, group, or probe in or on which you plan to add the sensors.
    New Application Overview Tab
    Click to enlarge.

Step 2: Get the client secret

Take the following steps to create an application password, also known as client secret.

  1. Go to the Certificates & secrets tab.
  2. Click New client secret to open the Add a client secret dialog.
    Certificates & Secrets Tab
    Click to enlarge.
    1. Enter a Description, for example, Microsoft 365 Client Secret.
    2. Select a period after which the client secret expires.New Client Secret Dialog
      Click to enlarge.
    3. Click Add to create and display the new client secret for your application.
      New Client Secret Display
      Click to enlarge.
  3. Copy the client secret to enter it in the credentials for Microsoft 365 section of the object for which you already added the tenant ID and client ID.

    Important: Make sure that you directly copy the client secret after you created it. If you leave the page, the client secret is not shown anymore. You have to create a new client secret.

Step 3: Set the permission for Microsoft Graph

Take the following steps to set the required permission for the Microsoft 365 Mailbox sensor to be able to query data from Microsoft Graph.

  1. Go to the API permissions tab.
  2. Click Add a permission to open the Request API permissions dialog.
    API Permissions Tab
    Click to enlarge.
    1. Select the Microsoft Graph tile.
    2. Click Delegated permissions.
    3. Enable the check box next to the following permissions:
      • Mail.Read
      • Mail.Read.Shared
      • offline_access
      • User.Read
    4. Click Add permissions to add the required permission.

You can now create the Microsoft 365 Mailbox sensor.

More

Created on Jul 11, 2022 9:44:11 AM

Last change on Nov 15, 2023 10:47:07 AM by Jacqueline Conforti [Paessler Support]



Votes:

0

Hi,

I have made the settings exactly as specified. Unfortunately, I can not get any further.

When I want to add the sensor in PRTG I get a popup which asks me for the microsoft oauth consent. And no matter what I type in, User, Exchange-Admin, GlobalAdmin, I always get the error message:

M365 Authorization failed.

What could be the problem here?

Created on Nov 8, 2022 12:52:48 PM



Votes:

0

Hello Rene,

Have you tried using the account with which you set up the app registration in Azure?

Kind regards,
Sasa Ignjatovic, Tech Support Team

Created on Nov 11, 2022 12:15:41 PM by Sasa Ignjatovic [Paessler Support]



Votes:

0

yes I did

Created on Nov 14, 2022 2:57:31 PM



Votes:

0

Hello Rene,

In that case I would suggest that you open a support ticket so that we can have a closer look at the issue.

Kind regards,
Sasa Ignjatovic, Tech Support Team

Created on Nov 15, 2022 9:17:09 AM by Sasa Ignjatovic [Paessler Support]



Votes:

0

Heads up: I had the following error when trying to log in while create a new sensor. "Microsoft 365 Authorization Failed"

This had to do with the webserver running on port 8443 internally while being hosted on 443 externally. When visiting the site via https://monitor.ourcompany.com:8443 we were able to add the sensor. (Note: this should also be added as an allowed Redirect URL on Azure: https://monitor.company.com:8443/ms365.htm)

Created on Nov 30, 2022 11:05:06 AM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.