Manual Setup - Microsoft 365 Continuous Scanning

Manually register an Azure app and configure the Mondoo Microsoft 365 integration. Most users should use the automated setup instead; choose the manual path when you need full control or your environment requires it.

Prerequisites

• Editor or Owner access to the Mondoo space
• An Azure account with an active subscription and one of these Microsoft Entra roles:
  • Global Administrator
  • Application Administrator
  • Cloud Application Administrator
• Access to the Azure CLI (the Azure Cloud Shell already includes it)

Register an Azure app for Mondoo

Continuous M365 scanning requires a Microsoft Entra ID app registration. The registration creates a service principal that represents Mondoo in your tenant.

The setup is four steps: register the app, grant Microsoft Graph permissions, assign the Global Reader role, and upload an authentication certificate.

Step A: Register the app

1. Log into the Azure portal with one of the required roles above.

2. Open Microsoft Entra ID > App registrations.

   

3. Select + New registration.

   

4. Name the app mondoo-m365, select Accounts in this organizational directory only, and select Register. No redirect URI is needed.

Azure creates the application ID and shows it on the overview page. Keep this page open for the next steps.

Step B: Grant Microsoft Graph API permissions

1. In the navigation sidebar, select API permissions.

By default, Microsoft grants your new application User.Read permission for Microsoft Graph. It's not required for Mondoo, so you can remove it.

2. Select + Add a permission.

3. From the list of Commonly used Microsoft APIs, select Microsoft Graph.

4. Because Mondoo acts as a service, select Application permissions.

5. Select expand all to see all permissions. Then select the required API permissions:

6. Select the Add permissions button.

7. Grant Mondoo read permissions for SharePoint.

   SharePoint APIs	Type	Description
   Sites.FullControl.All	Application	Have full control of all site collections

8. Select the Add permissions button.

9. Grant Mondoo read permissions for Office 365 Exchange Online. You need to search in APIs my organization uses.

   Office 365 Exchange Online	Type	Description
   Exchange.ManageAsApp	Application	Run Exchange Online commands as if Mondoo was an administrator account

10. To complete the process, select Grant admin consent for (your tenant name) and select the Yes button to confirm.

Step C: Assign the Global Reader role

1. In the Entra ID portal, go to Identity (Roles & admins).

2. Search for Global Reader and select the role name (not the checkbox). The Assignments page opens.

3. Select + Add assignments, find the mondoo-m365 app, and assign it the Global Reader role.

4. Return to the Assignments page, select Refresh, and confirm the role is assigned.

Step D: Create and upload the authentication certificate

Mondoo authenticates with a PEM certificate. You upload the certificate only to Azure, and the certificate plus private key to Mondoo. The PEM file you upload to Mondoo must use this format and order, with no password protection:

-----BEGIN PRIVATE KEY-----
key goes here
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
certificate goes here
-----END CERTIFICATE-----

openssl req -newkey rsa:4096 -x509 -sha512 -days 365 -nodes -out certificate.pem -keyout privatekey.key

cat privatekey.key certificate.pem > certificate.combo.pem

Upload the certificate (only) to Azure:

1. From the Azure portal home, go to Microsoft Entra ID > App registrations > your app.

2. In the sidebar, select Certificates & secrets.

3. Select Certificates > Upload certificate.

4. Select the PEM file containing only the certificate (not the private key), enter a description such as Mondoo certificate, and select Add.

   Be sure to upload the file with only the certificate. The combined key-and-certificate file is for Mondoo, not Azure.

Add the Microsoft 365 integration in Mondoo

You need these values from the Azure app registration you created:

• Application (client) ID
• Directory (tenant) ID
• The combined PEM file (private key + certificate)

In the Mondoo App, navigate to the space where you want to add the integration. In the side navigation bar, select Integrations. In the top right, select + INSTALL. On the integrations page, find the integration you want by browsing or searching by name:

1. Under SaaS, select Microsoft 365.

   

2. In Choose an integration name, enter a name that identifies the tenant.

3. Paste the Application (client) ID and Directory (tenant) ID in their respective boxes.

4. Choose which subscriptions to scan:

   • All in the tenant. Leave Scan all subscriptions connected to the directory (tenant) ID enabled.
   • Allow list. Disable the toggle, select Allow list, and enter subscription IDs (one per line).
   • Deny list. Disable the toggle, select Deny list, and enter the subscriptions to skip.

5. Upload the combined PEM file (private key plus certificate) in the Drag and drop your .pem file here box.

   

6. Select START SCANNING.

On the Recommended Policies page, enable the policies you want Mondoo to score this integration against. To learn how policies work, read Manage Policies.

Renew the application certificate

The certificate has a 1-year default lifetime. When it expires, the integration stops working.

1. In the Azure portal, navigate to the app registration you created and copy the application ID.

2. In Azure Cloud Shell, run:

   az ad app credential reset --id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX --create-cert

3. Download the new certificate from Cloud Shell's Manage files button.

4. In the Mondoo App, edit the M365 integration and upload the new certificate.

   

5. Save the updated configuration.

Next steps

• Test or troubleshoot the integration
• Integrate other cloud platforms