Granting CloudMonitor access to Microsoft 365 data betafabric
CloudMonitor can also report on your Microsoft 365 tenant — license usage, Secure Score, and Teams activity — alongside your Azure costs. This is a separate, optional grant from the core Azure access covered in Granting CloudMonitor access to your Azure environment: it uses its own service principal (SP), and skipping it has no effect on your Azure cost reporting.
What it is
Section titled “What it is”Core CloudMonitor access runs through one multi-tenant service principal
(cloudmonitor-beta), covering Azure cost and reservation data. Microsoft 365
access runs through a second, dedicated multi-tenant service principal —
cloudmonitor-beta-extended — that only ever requests the additional
Microsoft Graph permissions listed below.
Is this required?
Section titled “Is this required?”No. Microsoft 365 reporting is entirely optional. If you don’t grant this access, your Azure cost and reservation reporting works exactly as described in the rest of this guide — you simply won’t see Microsoft 365 usage, licensing, or security data in your reports.
How to grant access
Section titled “How to grant access”Unlike the core Azure access, this grant is started from inside the CloudMonitor app, not from this website or a link we email you.
- In the CloudMonitor app, open the button for connecting Microsoft 365 data. It pre-fills your tenant ID and CloudMonitor’s application (client) ID for the extended app, then opens Microsoft’s admin consent screen.
- Sign in with an administrator account and review the permissions listed (see What CloudMonitor can see below).
- Click Accept.
Because the app fills in both IDs for you, you don’t need to look anything up
ahead of time. Afterward, you can find the resulting service principal under
Microsoft Entra ID → Enterprise applications, searching for its display
name, cloudmonitor-beta-extended.
What CloudMonitor can see
Section titled “What CloudMonitor can see”Every permission below is a read-only Microsoft Graph application permission — there is no write or management access anywhere in this grant. CloudMonitor cannot post messages, create or modify teams, or read the contents of mailboxes, files, or chats.
| Permission | Used for |
|---|---|
| Reports.Read.All | Microsoft 365 usage reports — active users, mailbox usage, OneDrive usage, SharePoint site activity, and Groups/Teams activity |
| Directory.Read.All | Subscribed license (SKU) counts |
| SecurityEvents.Read.All | Microsoft Secure Score and its breakdown scores |
| SecurityAlert.Read.All | Security alerts |
| Team.ReadBasic.All | Basic team properties (public/private team counts) |
| Channel.ReadBasic.All | Channel properties (standard/private/shared channel counts) |
| CallRecords.Read.All | Teams call counts (PSTN and direct routing) |
| TeamMember.Read.All | Team owner, member, and guest counts |
Each permission maps to one part of your Microsoft 365 reporting — declining the whole grant simply means none of it populates; there’s no partial or broken state.
What this unlocks
Section titled “What this unlocks”Once granted, CloudMonitor reads your Microsoft 365 usage, licensing, and security-posture data into your isolated Fabric workspace, the same per-customer, read-only model described in Architecture and data flow. This data doesn’t carry a dollar amount — it’s utilization, licensing, and security posture, reported alongside your Azure cost data rather than folded into it.
Related
Section titled “Related”- Granting CloudMonitor access to your Azure environment — the required core Azure access this optional grant sits alongside.
- Architecture and data flow — how CloudMonitor reads your data read-only, per customer.
- What data CloudMonitor can see — the Azure cost datasets this Microsoft 365 grant sits alongside.