O365 Collector Prerequisites

Before using the Tornado O365 Collector, you need to configure the appropriate access permissions in your Microsoft 365 tenant. There are two access methods available, each with different requirements and capabilities.

Organization-Wide Access (Recommended)

This is the best method for full automation. It allows Tornado to collect organization-wide data, including user directories, sign-ins, and audit logs—without requiring individual user login.

Requirements

1. You must be a Global Administrator in your Microsoft 365 tenant.

User-Based Consent (Limited Access)

Allows Tornado to access only the signed-in user's data.

Requirements

1. A valid Microsoft 365 work account.

2. Your organization must allow users to consent to applications.

How to Enable User Consent

If user consent is disabled in your organization, a Privileged Role Administrator can enable it:

1. Sign in to the Microsoft Entra Admin Center.

2. Navigate to: Identity → Applications → Enterprise applications → Consent and permissions → User consent settings

3. Under User consent for applications, select one of the following:

   • "Allow user consent for apps from verified publishers..." (recommended)

   • "Allow user consent for selected permissions" (for more granular control)

4. Click Save.

Enable Admin Consent Workflow

This feature allows non-admin users to request access to Tornado when the app requires permissions they cannot approve themselves.

Requirements

You must be a Global Administrator to configure this workflow.

Steps to Enable Admin Consent Workflow

1. Go to the Microsoft Entra Admin Center.

2. Navigate to: Identity → Applications → Enterprise applications → Consent and permissions → Admin consent settings

3. Configure the following options:

1. Click Save.

Workflow: User Consent Request Process

Once Admin Consent Workflow is enabled, non-admin users can request access to Tornado:

1. Sign in to Tornado

The user initiates sign-in to Tornado using their Microsoft 365 credentials.

2. Request Access

If the user cannot consent to the required permissions, they are prompted to request access from an administrator.

3. Submit Consent Request

The user submits their consent request, which is sent to the designated reviewers for approval.

4. Review and Approve Request

Designated reviewers receive an email notification and can approve or reject the consent request from the Microsoft Entra Admin Center.

Security & Management

You can monitor or revoke Tornado's permissions at any time via:

Microsoft Entra Admin Center → Enterprise applications → Binalyze Tornado

Resources

• Configure Admin Consent Workflow (Microsoft Docs)

• Configure User Consent Settings (Microsoft Docs)

• Microsoft Entra Admin Center

• Overview of permissions and consent (Microsoft Docs)

• Grant tenant-wide admin consent (Microsoft Docs)