Integrations : SaaS : Microsoft 365

Overview

The Microsoft 365 connection in Block 64 enables secure, read-only access to Microsoft 365 tenant data.

This integration collects licensing, security, and usage metrics to provide detailed insights into license allocation, adoption trends, and security posture.

Once connected, the data collected from this integration appears in the following Block 64 Insights reports:

• Reports → SaaS → Licensing – Displays license allocation, usage, and related costs.

• Reports → Cloud → Microsoft Secure Scores – Shows security score metrics for evaluating organizational security.

• Reports → SaaS → Usage – Tracks user activity trends, adoption metrics, and inactive accounts.

The credentials needed for this Integration

To set up this integration, you’ll need:

• A Microsoft 365 account with Global Administrator or another role authorized to grant tenant-wide permissions.

• The ability to approve delegated permissions for the M365 Connection (Read-Only) app.

For ease of use, we recommend using a credential that has the Global Administrator role. However, if you would prefer to use a credential that does not have the Global Administrator role, below is a list of the minimum permissions required to conduct a comprehensive inventory of your M365 Data.

How to add this Integration

1. In the Block 64 portal, navigate to Integrations → Microsoft 365.

   

2. Enter your Global Admin account and click on Connect.

3. Sign in with a Microsoft 365 account that has the required admin role.

4. On the Permissions requested screen for M365 Connection (Read-Only), review and approve the following access:

   
5. Select Consent on behalf of your organization to prevent other admins from needing to approve the app separately.
6. Click Accept to authorize the integration.
7. Upon acceptance, you will be redirected to insights.block64.com where you will be notified of the connection.
   
   
8. The connection will be activated shortly, and Microsoft 365 data will begin appearing in your SaaS reports within a few hours.
   

Security & Privacy

• All access is read-only. Block 64 cannot make changes to your Microsoft 365 environment.

• No email or document contents are accessed; only metadata required for licensing, usage, and security reporting is collected.

• Data is handled in compliance with Block 64’s Privacy Policy and Microsoft’s Terms of Service.

• Permissions can be reviewed or revoked at any time in Microsoft 365 Enterprise Applications settings.

Why is this Integration failing?

If the integration isn’t working, it’s usually because the correct permissions haven’t been granted, the consent has expired, or Microsoft Entra ID (Azure AD) security policies are blocking the connection.

To fix this:

• Reconnect using an account with the appropriate admin role and grant all requested permissions.

• Select Consent on behalf of your organization during setup.

• In Microsoft 365 Enterprise Applications, confirm that M365 Connection (Read-Only) is still authorized.

How to remove this Integration

From Block 64:

You can disable this integration temporarily by clicking on the Enable switch in the integration.

Alternatively, you can disconnect the integration entirely by clicking on the Disconnect button.

From Microsoft 365:

1. Sign in to the Microsoft Entra admin center.

2. Navigate to Enterprise Applications.

3. Search for and select M365 Connection (Read-Only).

4. Choose Delete to remove the app and revoke all permissions.

Administrative Roles and Graph API Permissions

Firstly, ensure the credential has the following administrative roles assigned:

• Reports Reader
• Application Administrator
• Global Reader
• Teams Administrator

Secondly, ensure the credential has the following Graph API permissions: