Office 365 MP – some notes on security configuration

Okay, I’ve got a very short break between project A and project B. Hope, you’ll enjoy the result of 3 months development effort (unfortunately I cannot disclose any details, but those who watch for new MPs will probably understand what was the “project A” :). Hint: it is not related to SQL Server).

Meanwhile, let’s shed the light on some O365 MP staff. I saw several complaints about security configuration for this scom management pack and, indeed, this is not well-documented part.

So, Office 365 MP defines two Run As profiles:

Office 365 Subscription Password secure reference.

This one is used to store O365 management credentials which are used for authentication at the management portal via O365 API. I’ve seen some complaints about updating credentials via O365 MP subscription administration UI, but this can be worked around by editing Run As accounts directly at “Run As Account Properties” dialog.

Office 365 Subscription Proxy secure reference.

This one absolutely undocumented though very important. It is used by all data sources involved into both data collection and automatic alert closure:

Office 365 management pack Run As profiles

So, to make everything work, an account mapped to this profile should met following criteria:

  1. It should be a domain user;
  2. It should be able to login at the management server (otherwise SCOM will fail to run o365 monitoring workflows);
  3. It should be able to access Office 365 API endpoint (via https), so configure your firewalls, proxies, etc. There are no specific requirements for ports.
  4. It should be able to access SCOM data via SDK API to enumerate and close alerts. Usually the membership in “Operations Manager Operators” role is enough, but for unknown reason this doesn’t work in this case. So, ensure that you have granted “Operations Manager Administrators” role.

That’s it. And yes, I agree that synchronization and automatic closure logics could be somewhat more flexible and convenient.

5 thoughts on “Office 365 MP – some notes on security configuration

  1. Question, I´m behind a Proxy – I don´t get Monitoringhost.exe to start at all. What could be the cause you think ? Rgs, Stefan

    • Stefan,

      I assume that this is absolutely not related to o365 MP – it should be something wrong with the agent itself. Check Operations Manager event log as well as Application and System event logs, most probably you will find some details there. Systemcentercentral.com or Microsoft forums are good places where you can find help if you see something cryptic in your logs.

      Best regards,
      Oleg Kapustin

  2. I don´t Think either its related to the o365 MP or the Proxy, if th run as account / profile doesn´t run appropriate inside taskmgr ten it won´t either go through Proxy properly, I guess. But I am Think the Proxy profile account is setup wrongly. What objects, classes should the Proxy account target inside Office 365 Subscription Proxy secure reference ? In my Environment it targets “Association: Class, Used for: All targeted objects”. /S

  3. I recently installed the Office 365 Management Pack. Our Management Server is on a private network, so needs to go through a proxy to get out to the Internet. I have configured a new Run As Account, and added it to the Office 365 Subscription Proxy secure reference Run As profile. I logged onto the Management Server as the proxy account, and configured proxy within Internet Explorer, then was able to successfully access https://office365servicehealthcommunications.cloudapp.net/shdtenantcommunications.svc. I then rebooted the Management Server and logged in with my own account. Looking at the Office 365 Dashboard, the status for our two subscriptions are both red Xs. I started logging on the proxy and nothing was coming from the Management Server trying to get out to the office365servicehealthcommunications URL. The only way I have been able to get it to work, and get green check marks on the dashboard for the subscription status is to log onto the Management Server as the proxy account and within 15-20 minutes the status turns to OK.

    I have verified (when not logged into Windows as the proxy account) that there is a MonitoringHost.exe process running as the proxy user.

    Any ideas on why things only work when the proxy account is logged into Windows? I have gone as far as temporarily making the proxy account a local admin on the Management Server and that has not helped.

    • Ben, sorry for not replying. Unfortunately I was really far from SCOMing (and blogging) during last year. Please ping me in your issues has not been resolved yet.

Leave a Comment