O365 Collector Prerequisites
Before using the Tornado O365 Collector, you need to configure the appropriate access permissions in your Microsoft 365 tenant. There are two access methods available, each with different requirements and capabilities.
Organization-Wide Access (Recommended)
This is the best method for full automation. It allows Tornado to collect organization-wide data, including user directories, sign-ins, and audit logs—without requiring individual user login.
Requirements
You must be a Global Administrator in your Microsoft 365 tenant.
User-Based Consent (Limited Access)
Allows Tornado to access only the signed-in user's data.
Requirements
A valid Microsoft 365 work account.
Your organization must allow users to consent to applications.
If user consent is disabled in your organization, follow the steps below to enable it, or use the Admin Consent Workflow.
How to Enable User Consent
If user consent is disabled in your organization, a Privileged Role Administrator can enable it:
Sign in to the Microsoft Entra Admin Center.
Navigate to: Identity → Applications → Enterprise applications → Consent and permissions → User consent settings
Under User consent for applications, select one of the following:
"Allow user consent for apps from verified publishers..." (recommended)
"Allow user consent for selected permissions" (for more granular control)
Click Save.
Enable Admin Consent Workflow
This feature allows non-admin users to request access to Tornado when the app requires permissions they cannot approve themselves.
Requirements
You must be a Global Administrator to configure this workflow.
Steps to Enable Admin Consent Workflow
Go to the Microsoft Entra Admin Center.
Navigate to: Identity → Applications → Enterprise applications → Consent and permissions → Admin consent settings
Configure the following options:
Users can request admin consent to apps they are unable to consent to
Yes
Who can review admin consent requests
Select admins, users, groups, or roles
Email notifications
On
Request expiration reminders
On
Consent request expires after (days)
e.g., 3 days
Click Save.
After this setup, if a non-admin user tries to use Tornado, they will be prompted to send a request to the designated reviewers. Reviewers will receive an email and can approve or reject the request.
Workflow: User Consent Request Process
Once Admin Consent Workflow is enabled, non-admin users can request access to Tornado:
1. Sign in to Tornado
The user initiates sign-in to Tornado using their Microsoft 365 credentials.
2. Request Access
If the user cannot consent to the required permissions, they are prompted to request access from an administrator.
3. Submit Consent Request
The user submits their consent request, which is sent to the designated reviewers for approval.
4. Review and Approve Request
Designated reviewers receive an email notification and can approve or reject the consent request from the Microsoft Entra Admin Center.
Security & Management
You can monitor or revoke Tornado's permissions at any time via:
Microsoft Entra Admin Center → Enterprise applications → Binalyze Tornado
Resources
Last updated
Was this helpful?