---
title: Granting CloudMonitor access to Microsoft 365 data
canonical: "https://cloudmonitor.ai/docs/cloudmonitor-fabric-beta/granting-cloudmonitor-access-to-microsoft-365-data/"
description: "Authorize the optional CloudMonitor Beta Extended service principal to unlock Microsoft 365 usage, licensing, and security reporting."
---

CloudMonitor can also report on your **Microsoft 365** tenant — license usage,
Secure Score, and Teams activity — alongside your Azure costs. This is a
separate, **optional** grant from the core Azure access covered in
[Granting CloudMonitor access to your Azure environment](/docs/cloudmonitor-fabric-beta/granting-cloudmonitor-access-to-your-azure-environment/):
it uses its own service principal (SP), and skipping it has no effect on your
Azure cost reporting.

## What it is

Core CloudMonitor access runs through one multi-tenant service principal
(`cloudmonitor-beta`), covering Azure cost and reservation data. Microsoft 365
access runs through a **second, dedicated** multi-tenant service principal —
**`cloudmonitor-beta-extended`** — that only ever requests the additional
Microsoft Graph permissions listed below.

:::note[Why a second service principal]
Microsoft Graph application permissions are consented **all-or-nothing per app
registration** — there's no way for one app to let you grant some permissions
while declining others. Keeping the optional Microsoft 365 permissions on a
separate app means declining them never affects your core Azure access, and
accepting them never requires re-consenting the core app.
:::

## Is this required?

No. Microsoft 365 reporting is entirely optional. If you don't grant this
access, your Azure cost and reservation reporting works exactly as described
in the rest of this guide — you simply won't see Microsoft 365 usage,
licensing, or security data in your reports.

## How to grant access

:::note[Who needs to do this]
A **Cloud Application Administrator** (or **Global Administrator**) in your
Microsoft 365 tenant.
:::

Unlike the core Azure access, this grant is started from **inside the
CloudMonitor app**, not from this website or a link we email you.

1. In the CloudMonitor app, open the button for connecting Microsoft 365 data.
   It pre-fills your tenant ID and CloudMonitor's application (client) ID for
   the extended app, then opens Microsoft's admin consent screen.
2. Sign in with an administrator account and review the permissions listed
   (see [What CloudMonitor can see](#what-cloudmonitor-can-see) below).
3. Click **Accept**.

Because the app fills in both IDs for you, you don't need to look anything up
ahead of time. Afterward, you can find the resulting service principal under
**Microsoft Entra ID → Enterprise applications**, searching for its display
name, **`cloudmonitor-beta-extended`**.

## What CloudMonitor can see

Every permission below is a **read-only** Microsoft Graph **application**
permission — there is no write or management access anywhere in this grant.
CloudMonitor cannot post messages, create or modify teams, or read the
contents of mailboxes, files, or chats.

| Permission | Used for |
| --- | --- |
| **Reports.Read.All** | Microsoft 365 usage reports — active users, mailbox usage, OneDrive usage, SharePoint site activity, and Groups/Teams activity |
| **Directory.Read.All** | Subscribed license (SKU) counts |
| **SecurityEvents.Read.All** | Microsoft Secure Score and its breakdown scores |
| **SecurityAlert.Read.All** | Security alerts |
| **Team.ReadBasic.All** | Basic team properties (public/private team counts) |
| **Channel.ReadBasic.All** | Channel properties (standard/private/shared channel counts) |
| **CallRecords.Read.All** | Teams call counts (PSTN and direct routing) |
| **TeamMember.Read.All** | Team owner, member, and guest counts |

Each permission maps to one part of your Microsoft 365 reporting — declining
the whole grant simply means none of it populates; there's no partial or
broken state.

## What this unlocks

Once granted, CloudMonitor reads your Microsoft 365 usage, licensing, and
security-posture data into your isolated Fabric workspace, the same
per-customer, read-only model described in
[Architecture and data flow](/docs/cloudmonitor-fabric-beta/architecture-and-data-flow/).
This data doesn't carry a dollar amount — it's utilization, licensing, and
security posture, reported alongside your Azure cost data rather than folded
into it.

## Related

- [Granting CloudMonitor access to your Azure environment](/docs/cloudmonitor-fabric-beta/granting-cloudmonitor-access-to-your-azure-environment/) — the required core Azure access this optional grant sits alongside.
- [Architecture and data flow](/docs/cloudmonitor-fabric-beta/architecture-and-data-flow/) — how CloudMonitor reads your data read-only, per customer.
- [What data CloudMonitor can see](/docs/cloudmonitor-fabric-beta/what-data-cloudmonitor-can-see/) — the Azure cost datasets this Microsoft 365 grant sits alongside.
