365 Analytics Reporting uses a service account to collect data from O365 tenants. Service accounts are used to collect data via PowerShell in cases where data can’t be collected via GraphAPI.
This article explains how to create a Read-Only Administrator account in Office 365 for use with 365 Analytics.
It is important that you complete all the steps. Service account can be created via:
- PowerShell
- Microsoft 365 Admin Center
It is recommended that you use the PowerShell method, as this contains less steps, however at the bottom of this article you can also find some steps on how to do this via the Admin Portal.
Your organization will not be charged by Microsoft for this account as it does not require an Office 365 license.
Creating the Service Account using PowerShell
Connecting to Office 365
Before we begin, you need to install the “Microsoft Online Service Module” onto your machine.
Now open up Windows PowerShell and Copy & Paste in the following commands to connect to Office 365.
Please enter the username and password of an Office 365 Administrator account when prompted.
$Office365credentials = Get-Credential Import-Module MSOnline Connect-MsolService -Credential $Office365credentials
Creating the Service Account
Now that you are connected to Office 365 in PowerShell, we can create the Service account.
Modify the line below and set the company.onmicrosoft.com part to match your own Office 365 .onmicrosoft.com domain and replace the password with a secure password of your own. We recommend a password of 10 characters or more that includes a mixture of capital and lower case letters, numbers and special characters.
New-MSolUser -DisplayName "Service Account for 365 Analytics" -UserPrincipalName "365Analytics@company.onmicrosoft.com" -Password "Password123" -PasswordNeverExpires $true -ForceChangePassword $false
Next we need to add our new account to the ‘Global reader’. You can do this by copying and pasting the following line into the PowerShell window.
Remember to set the company.onmicrosoft.com part to match your Office 365 domain name
Add-MSOLRoleMember –RoleName "Global reader" –RoleMemberEmailAddress 365Analytics@company.onmicrosoft.com
NOTE: You will not receive any confirmation if the commands are successful.
You can check if the service account was set correctly by running PowerShell commands below:
$role = Get-MsolRole -RoleName "Global reader" Get-MsolRoleMember -RoleObjectId $role.ObjectId
Creating the Service Account via the Microsoft 365 Admin Center
You can also create the service account via the Microsoft 365 Admin Center, however you would still need to run a final PowerShell cmdlet to ensure that the password does not expire.
- On the Admin home page, go to Users -> Active users and click on the “Add a user” button
- Enter a Display Name (“Service Account for 365 Analytics”)
- Enter a User Name (“365Analytics”)
- Ensure that the domain is the company.onmicrosoft.com one
- Select “Let me create a password” and enter a strong one
- Ensure “Require this user to change their password when they first sign in” is NOT ticked
- In the Product licenses page choose “Create user without product license”
- In the Optional settings page choose “Admin center access” and select “Global reader”
- Review all your data and click “Finish adding” in the last page
NOTE: If the password of the service account needs to be changed or is expired, it must be changed in Office and in Tenant Management System Client.
If your company policy allows passwords to never expire you can do it via PowerShell:
Set-MsolUser -UserPrincipalName 365Analyitcs@company.onmicrosoft.com -PasswordNeverExpires $true
Connecting your Tenant
365 Analytics requires a Microsoft Application consent. 365 Analytics Reporting uses application consent to collect data from your Office 365 tenant. Application consent is used to collect data via Graph API.
Read this article which explains how to authorize the 365 Analytics Application for Read-Only access to your Office 365 Tenant for use with 365 Analytics.
It is important that you complete all the steps.