Skip to content

Granting CloudMonitor access to Microsoft 365 data betafabric

CloudMonitor can also report on your Microsoft 365 tenant — license usage, Secure Score, and Teams activity — alongside your Azure costs. This is a separate, optional grant from the core Azure access covered in Granting CloudMonitor access to your Azure environment: it uses its own service principal (SP), and skipping it has no effect on your Azure cost reporting.

Core CloudMonitor access runs through one multi-tenant service principal (cloudmonitor-beta), covering Azure cost and reservation data. Microsoft 365 access runs through a second, dedicated multi-tenant service principal — cloudmonitor-beta-extended — that only ever requests the additional Microsoft Graph permissions listed below.

No. Microsoft 365 reporting is entirely optional. If you don’t grant this access, your Azure cost and reservation reporting works exactly as described in the rest of this guide — you simply won’t see Microsoft 365 usage, licensing, or security data in your reports.

Unlike the core Azure access, this grant is started from inside the CloudMonitor app, not from this website or a link we email you.

  1. In the CloudMonitor app, open the button for connecting Microsoft 365 data. It pre-fills your tenant ID and CloudMonitor’s application (client) ID for the extended app, then opens Microsoft’s admin consent screen.
  2. Sign in with an administrator account and review the permissions listed (see What CloudMonitor can see below).
  3. Click Accept.

Because the app fills in both IDs for you, you don’t need to look anything up ahead of time. Afterward, you can find the resulting service principal under Microsoft Entra ID → Enterprise applications, searching for its display name, cloudmonitor-beta-extended.

Every permission below is a read-only Microsoft Graph application permission — there is no write or management access anywhere in this grant. CloudMonitor cannot post messages, create or modify teams, or read the contents of mailboxes, files, or chats.

PermissionUsed for
Reports.Read.AllMicrosoft 365 usage reports — active users, mailbox usage, OneDrive usage, SharePoint site activity, and Groups/Teams activity
Directory.Read.AllSubscribed license (SKU) counts
SecurityEvents.Read.AllMicrosoft Secure Score and its breakdown scores
SecurityAlert.Read.AllSecurity alerts
Team.ReadBasic.AllBasic team properties (public/private team counts)
Channel.ReadBasic.AllChannel properties (standard/private/shared channel counts)
CallRecords.Read.AllTeams call counts (PSTN and direct routing)
TeamMember.Read.AllTeam owner, member, and guest counts

Each permission maps to one part of your Microsoft 365 reporting — declining the whole grant simply means none of it populates; there’s no partial or broken state.

Once granted, CloudMonitor reads your Microsoft 365 usage, licensing, and security-posture data into your isolated Fabric workspace, the same per-customer, read-only model described in Architecture and data flow. This data doesn’t carry a dollar amount — it’s utilization, licensing, and security posture, reported alongside your Azure cost data rather than folded into it.