Office 365 refers to the subscription plans offered by Microsoft that include access to Office applications and other productivity services that are enabled over the Internet (cloud services).
You can extract a list of Office 365 users and the subscriptions assigned to them using Movere. From the ‘Getting Started’ menu select ‘First Scan' then check the ‘Office365 Subscriptions’ option. Once you have selected this option click on the ‘Next’ button.
Two pre-requisites must be installed on the device the Movere Console is run from to extract Office 365 data. These can be accessed from the following links:
- Microsoft Online Services Sign-In Assistant: https://go.microsoft.com/fwlink/?linkid=2132622
- Azure Active Directory Module for Windows PowerShell: https://go.microsoft.com/fwlink/?linkid=2132439
Movere requires two connections to extract Office 365 based data. The first connects to Azure Active Directory, while the second connects to Microsoft Online to gather subscription level data. You will need to enter the user name and password of the Global Admin for the Office 365 subscription. If you are scanning multiple O365 subscriptions, you will need to enter the Global Admin credentials specific to each subscription.
Please ensure that multi-factor/two-factor authentication is disabled for any Global Admin account entered into the Console. Movere does not support multi-factor authentication at this time, and any O365 scan with this authentication enabled will fail.
It is also important to check any Windows Rights Management (WinRM) and/or group policies present on the machine running the console. It can be difficult to pinpoint the exact policies that could impact scanning, but it is common for remote connections to be blocked and/or user accounts prevented from accessing the O365 database due to WinRM policies and features. To troubleshoot this, install the Console on a workstation and re-run the scan from there. Workstations usually do not have the same WinRM policies as servers, and thus O365 scans can run more successfully from a workstation.
Troubleshooting Office 365 Scanning with Movere:
There are several aspects of an O365 scan that could cause failure. To start, confirm that the Office 365 credentials being leveraged are linked to a Global Admin user account and that multi-factor authentication (MFA) is disabled for the Global Admin user account. Movere does not support MFA for Office 365 scans at this time.
If you are using a global admin account with MFA disabled and the scans are still failing, the next thing to check are the Windows Rights Management (WinRM) and group policies present on the machine running the console. It can be difficult to pinpoint the exact policy that would impact the scanning, but we have seen remote connections blocked and/or user accounts prevented from accessing the Office 365 database due to WinRM policies and features. To troubleshoot this, move the console folder to a workstation and re-run the scan from there. Workstations typically do not have the same WinRM policies that can inhibit Movere scanning Office 365.
Additionally, confirm that the Global Admin account has the PowerShell query permission enabled. The following articles provide further guidance on troubleshooting errors commonly seen when scanning Office 365:
- "Access is denied" error when you connect to Exchange Online by using remote Windows PowerShell
- Exchange Online Remote Powershell: "Access Denied"
- "Connect-MsolService: Exception of type was thrown" when you use the connect-MSOLService to connect to Office 365, Azure, or Intune