Documentation Index

Fetch the complete documentation index at: https://docs.lansweeper.com/llms.txt

Use this file to discover all available pages before exploring further.

Prepare Microsoft Cloud for Cloud Discovery

Prev Next

Note on third‑party tools

We aim to provide accurate and helpful details about third‑party tools, but we can’t guarantee that this information is always complete or up to date. For the most reliable information, please always refer to the third‑party tool’s official documentation.

Before connecting Microsoft Azure, Microsoft Intune, or Microsoft 365 / Entra ID to Lansweeper, you need to set up your infrastructure to allow Cloud Discovery to access your Microsoft Cloud products.

Register a new application

  1. Follow Microsoft’s documentation to Register an application in Microsoft Entra ID

  2. After registration, save the following:

    • Application (client) ID
    • Directory (tenant) ID

You’ll need these values later in Lansweeper when creating the connection to your site.

Add Microsoft Graph API permissions

  1. Follow Microsoft’s documentation to Add permissions to access Microsoft Graph.

  2. Based on your discovery requirements, add the following permissions and grant Admin consent for each:

    Data Permission type Permission name
    Microsoft 365 / Entra ID (Organization and Users) Application Organization.Read.All, Directory.Read.All
    Microsoft Intune Application DeviceManagementManagedDevices.Read.All
Azure subscription access

For Microsoft Azure, ensure the app has Reader access to each subscription you want to scan.

Configure federated credentials

Federated credentials enable token exchange between Lansweeper and Azure, allowing Lansweeper Discovery to authenticate without stored secrets. For more information about federated credentials, see Configure an app to trust an external identity provider

  1. In the Azure portal, go to your app registration and open Certificates & secrets > Federated credentials.

  2. Select Add credential.

  3. Under Federated credential scenario, choose Other issuer.

  4. Configure the fields as follows:

    • Issuer: https://login.auth.lansweeper.com/6d02a192-efc6-a58a-e413-8abc60f3b067 (no trailing space or /)
    • Type: Explicit subject identifier
    • Value: 866d6f4d-c8fa-4342-9f6a-377932892ee0
    • Name: A descriptive name (e.g., LansweeperDiscoveryFederation)
    • Description: Optional
    • Audience: 866d6f4d-c8fa-4342-9f6a-377932892ee0
  5. Save the configuration when complete.

Assign permissions for Azure resources

To allow the app to read Azure resources under a specific subscription:

  1. Follow Microsoft’s documentation to Assign Azure roles using the Azure portal.
  2. Assign the Reader role to the app registration.

Repeat for all target subscriptions.

Custom role creation to fully scan some resource types

Some Azure resources require more permissions than the Reader role to be fully scanned by Lansweeper. You can add these permissions to your app registration by creating a Custom Role in Azure.

To create and assign a custom role:

  1. Create an Azure custom role. See Azure custom roles for detailed steps.

  2. Add the required permissions to the role. The permissions you add depend on the type of Azure resource you want to scan. For example:

    • For App and Web Services: Microsoft.Web/sites/config/list/action
    • For AKS clusters: Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
Check the Scan issues tab

If a cloud asset is missing permissions, the issue appears in the asset’s Scan issues tab.

  1. Assign the role to the app registration you created for scanning. Choose the appropriate scope based on what you want to cover:

    • Management Group
    • Subscription
    • Resource Group

When properly configured, the additional scanned properties appear in the asset’s Cloud Properties section.

Create and configure an Azure key vault

You’ll use Azure Key Vault to store your Lansweeper Site ID securely and provide API-access tokens to Lansweeper.

Using access policies instead of RBAC?

If your key vault uses access policies instead of RBAC, see Prepare for Key Vault API.

  1. Follow Microsoft’s documentation to Create an Azure Key Vault guide to create a Key Vault.

  2. Under Access control (IAM), add the Key Vaults Secrets Officer role to a user.

  3. As this user, add a new secret to the key vault:

    1. Name: LansweeperSiteID
    2. Value: Your Lansweeper Site ID (found in Site settings > General)
Multiple sites, one key vault

If you have multiple sites and want to use a single key vault for all your Azure, M365/Entra ID, and Intune cloud actions, you can store the site IDs in a single secret as comma-separated values.

  1. Under Access control (IAM), add the Key Vaults Secrets User role to your app registration.
  2. After configuring the key vault, copy the Vault URI and save it for later.
Restrict Key Vault access

For security, restrict access to the Key Vault by limiting inbound connections to Lansweeper IPs:

  • EU: 54.247.163.109, 54.247.185.164, 34.243.192.131
  • US: 3.143.85.134, 3.142.89.208, 3.133.69.44

Next steps

Now that you have prepared your Microsoft Cloud environment, you can create a Cloud Discovery action to connect with Lansweeper Sites.