Integrating Lansweeper and Office 365

2 minute read

Intro

Lansweeper is a great IT assets management tool! This new feature was introduced in version 7.1. Scanning is done using Powershell cmdlets and provides you with data of organizations, domains, users, admins, password enforcement settings, groups, licenses, mailbox lists, ActiveSync devices and more. So it is nice to have it all in one console. Summary

Prerequisites

There are a few things you should do and check before implementing this feature. Requirements:

  • Lansweeper 7.1 or above - I recommend installing the newest update which is 7.2 it was released on 7th of September
  • Azure AD account - which credentials will be used for scanning. Also this account cannot be included in MFA policy in your organization
  • If you restrictions to view Azure AD by users you may need to exclude this scanning account from policy.
  • Account should have assigned permissions to use Exchange Online cmdlets. But we will get back to that later.

Beside those there are requirements which should apply to on-prem scanning server:

  • Your Lansweeper scanning server must be able to access the Internet to connect to your Office 365 environment. A connection is made to outlook.office365.com.
  • Your Lansweeper scanning server must be running Windows 7 or a more recent operating system.
  • Your Lansweeper scanning server must have a 64-bit architecture.
  • Your Lansweeper scanning server must have PowerShell version 5. If you only just installed this PowerShell version, make sure to reboot your machine.
  • Your Lansweeper scanning server’s WinRM client configuration must have Basic authentication enabled.
  • Your Lansweeper scanning server must be configured to allow scripts that are signed by a trusted publisher.

If you meet those requirements you will can proceed with configuration!

Scanning credentials

First things first, create account in your AD or Azure AD if you are not using hybrid environment. Funny thing, in official Lansweeper knowledge base they are recommending that the account you will be using to scan Office 365 should have tenant Global Administrator role assigned!😂
I think it is giant over-exaggeration!
Lets be smarter than that… As I mentioned before, if you applied any restrictions to Azure AD you need to add this account to built-in Azure AD role Directory readers or your custom role if you have.
This will be enough to fill tabs: Summary, Groups, Licenses, Users with data. The rest of the tabs (Mailboxes, Contacts, Active Sync Devices) is processed by Exchange Online cmdlets and to handle that you will need to create Management Role.

To do that you need to connect to Exchange Online with privileged credentials and then run this code:

New-ManagementRole "LanSweeperRole" -Parent "Mail Recipients"
Get-ManagementRoleEntry "LanSweeperRole\*" |`
    Where-Object { $PSItem.Name -notlike 'Get-mailbox' -or $PSItem.Name -notlike 'Get-mailContact' -or $PSItem.Name -notlike 'Get-MobileDevice' } |`
    ForEach-Object { Remove-ManagementRoleEntry -Identity "$($PSItem.id)\$($PSItem.name)" -Confirm:$false }
New-RoleGroup 'LanSweeperScan' -Role 'LanSweeperRole' -Member 'sa_Lansweeper_O365'

Thanks to that I’ve created new role which allows users assigned to group ‘LanSweeperScan’ to run only those three cmdlets: Get-Mailbox, Get-MailContact, Get-ActiveSyncDevice. And that will be enough to get things done! Contacts

Configurations in Lansweeper

Now that we’ve met all requirements we can proceed with configurations in Lansweeper Web Console. Those last steps are the easiest in whole process!

  • Go to scanning targets Config-1
  • Click on ‘Add Scanning Target’. You will see new window where you will be able to provide created scanning credentials Config-2

And you are ready to go!

Pro tip

If you would like to check scanning credentials before configuring feature in production you can use great test tool which is located in Lansweeper installation on your server. […]\Lansweeper\Service\Lansweeper.TestTools.App TestTool

See you in next! 😉 🧠

Leave a comment