Intro

Lansweeper is a great IT assets management tool! This new feature was introduced in version 7.1. Scanning is done using Powershell cmdlets and provides you with data of organizations, domains, users, admins, password enforcement settings, groups, licenses, mailbox lists, ActiveSync devices and more. So it is nice to have it all in one console. Summary

Prerequisites

There are a few things you should do and check before implementing this feature. Requirements:

Beside those there are requirements which should apply to on-prem scanning server:

If you meet those requirements you will can proceed with configuration!

Scanning credentials

First things first, create account in your AD or Azure AD if you are not using hybrid environment. Funny thing, in official Lansweeper knowledge base they are recommending that the account you will be using to scan Office 365 should have tenant Global Administrator role assigned!😂
I think it is giant over-exaggeration!
Lets be smarter than that… As I mentioned before, if you applied any restrictions to Azure AD you need to add this account to built-in Azure AD role Directory readers or your custom role if you have.
This will be enough to fill tabs: Summary, Groups, Licenses, Users with data. The rest of the tabs (Mailboxes, Contacts, Active Sync Devices) is processed by Exchange Online cmdlets and to handle that you will need to create Management Role.

To do that you need to connect to Exchange Online with privileged credentials and then run this code:

New-ManagementRole "LanSweeperRole" -Parent "Mail Recipients"
Get-ManagementRoleEntry "LanSweeperRole\*" |`
    Where-Object { $PSItem.Name -notlike 'Get-mailbox' -or $PSItem.Name -notlike 'Get-mailContact' -or $PSItem.Name -notlike 'Get-MobileDevice' } |`
    ForEach-Object { Remove-ManagementRoleEntry -Identity "$($PSItem.id)\$($PSItem.name)" -Confirm:$false }
New-RoleGroup 'LanSweeperScan' -Role 'LanSweeperRole' -Member 'sa_Lansweeper_O365'

Thanks to that I’ve created new role which allows users assigned to group ‘LanSweeperScan’ to run only those three cmdlets: Get-Mailbox, Get-MailContact, Get-ActiveSyncDevice. And that will be enough to get things done! Contacts

Configurations in Lansweeper

Now that we’ve met all requirements we can proceed with configurations in Lansweeper Web Console. Those last steps are the easiest in whole process!

And you are ready to go

Pro tip

If you would like to check scanning credentials before configuring feature in production you can use great test tool which is located in Lansweeper installation on your server. […]\Lansweeper\Service\Lansweeper.TestTools.App TestTool

See you in next! 😉 🧠