PyraCloud imports information from the customer’s Microsoft 365 tenant on a daily basis. The data imported is used in the following PyraCloud features:
- Tag & Resource Manager: Used to allocated resource costs to business units (custom groups), Tag &Resource Manager (TRM) imports information about Azure AD user accounts including (but not limited to) usernames, display names, departments, managers, addresses, and extensionAttributes. This information is used to help the user allocate license costs to the correct business unit. TRM also imports information about specific Microsoft 365 licenses assigned to users.
- Consumption: Used to report on resource usage and cost, Consumption imports information about overall Microsoft 365 license quantities and assignments. This includes total purchased licenses, total assigned licenses, and total unassigned licenses for each subscription.
PyraCloud also uses access to the customer’s tenant on an ad-hoc basis to retrieve a list of user accounts when creating a new Microsoft Azure subscription under CSP. This allows PyraCloud to assign the owner role to a user in the customer’s tenant when creating the new subscription.
PyraCloud does not access the customer’s tenant on an ad-hoc basis for any reason related to Microsoft 365.
PyraCloud uses an account (usually named “mfa.setup”) to access the Partner Center API for CSP customers. In some instances, it will also “double hop” into the customer’s Microsoft tenant to get information about users and license assignments.
This account is used to access the Microsoft Graph API, and more specifically, the users and SubscribedSkus endpoints which provide PyraCloud with information about Azure AD users and how many licenses from each Microsoft 365 subscription are assigned and how many are free. You can read more about these APIs in Microsoft’s documentation here:
- users: https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http
- subscribedskus: https://learn.microsoft.com/en-us/graph/api/subscribedsku-list?view=graph-rest-1.0&tabs=http
To authenticate and consume these APIs, PyraCloud uses app+user authentication. This means that when PyraCloud authenticates, it uses a combination of both an Enterprise Application and a User Account (which is a service account, the aforementioned mfa.setup user).
For CSP, both these principals exist in SoftwareOne’s Azure AD rather than in the customer’s Microsoft tenant.
Read more about app+user authentication here: https://learn.microsoft.com/en-us/partner-center/developer/partner-center-authentication#app–user-authentication
Note that even under the new “secure application model”, app+user authentication is still used.
Conditional Access Policies
Generally speaking, Conditional Access Policies (CAP) do not block authentication attempts by Enterprise Applications unless configured to do so. On the other hand, User account access can be actively blocked by CAP unless an exception is configured.
Historically, it has been challenging to configure exceptions for the user accounts in partner (read: SoftwareOne’s) Microsoft tenants because they do not exist in the customer’s Microsoft tenant.
Recently, Microsoft has added functionality to Conditional Access Policies to allow narrow (least privilege) exceptions to be configured for partner Microsoft tenants.
PyraCloud has a KB article on how to do this here: https://help.pyracloud.com/knowledge-base/how-can-i-configure-conditional-access-to-allow-pyracloud/
You can also read more about this in Microsoft’s documentation here: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/authentication-conditional-access#conditional-access-for-external-users
Imported data fields
Azure AD users
The following fields are downloaded for each user in the customer’s Azure AD:
Microsoft 365 subscriptions
- SkuPrepaidUnits (Total purchased licenses)
- SkuConsumedUnits (Total assigned licenses)
- SkuServicePlans (Products associated with the subscription, e.g. Office 365 includes Teams and Yammer, etc.)