# O365 Collector Prerequisites

Before using the Tornado O365 Collector, you need to configure the appropriate access permissions in your Microsoft 365 tenant. There are two access methods available, each with different requirements and capabilities.

## Organization-Wide Access (Recommended)

This is the best method for full automation. It allows Tornado to collect organization-wide data, including user directories, sign-ins, and audit logs—without requiring individual user login.

### Requirements

1. You must be a **Global Administrator** in your Microsoft 365 tenant.

{% hint style="info" %}
Due to the use of Microsoft Graph, this access level is restricted by Microsoft and cannot use lesser privileges.
{% endhint %}

## User-Based Consent (Limited Access)

Allows Tornado to access only the signed-in user's data.

### Requirements

1. A valid Microsoft 365 work account.
2. Your organization must allow users to consent to applications.

{% hint style="warning" %}
If user consent is disabled in your organization, follow the steps below to enable it, or use the Admin Consent Workflow.
{% endhint %}

## How to Enable User Consent

If user consent is disabled in your organization, a Privileged Role Administrator can enable it:

1. Sign in to the [Microsoft Entra Admin Center](https://entra.microsoft.com).
2. Navigate to: **Identity** → **Applications** → **Enterprise applications** → **Consent and permissions** → **User consent settings**
3. Under **User consent for applications**, select one of the following:
   * "Allow user consent for apps from verified publishers..." *(recommended)*
   * "Allow user consent for selected permissions" *(for more granular control)*
4. Click **Save**.

<div align="center"><figure><img src="https://1662683669-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA8kGzryHKp7UhDaLtzW%2Fuploads%2Fgit-blob-1574ff8957b2bb69a0c9ee7644d18abe744cbf8a%2Fo365_collector_prerequisites_user_consent_settings.png?alt=media" alt="" width="800"><figcaption><p>O365 Collector Prerequisites: User consent settings</p></figcaption></figure></div>

{% hint style="info" %}
For more details, see [Configure user consent (Microsoft Docs)](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent).
{% endhint %}

## Enable Admin Consent Workflow

This feature allows **non-admin users** to request access to Tornado when the app requires permissions they cannot approve themselves.

### Requirements

You must be a **Global Administrator** to configure this workflow.

### Steps to Enable Admin Consent Workflow

1. Go to the [Microsoft Entra Admin Center](https://entra.microsoft.com).
2. Navigate to: **Identity** → **Applications** → **Enterprise applications** → **Consent and permissions** → **Admin consent settings**
3. Configure the following options:

| Setting                                                               | Recommended Value                      |
| --------------------------------------------------------------------- | -------------------------------------- |
| Users can request admin consent to apps they are unable to consent to | **Yes**                                |
| Who can review admin consent requests                                 | Select admins, users, groups, or roles |
| Email notifications                                                   | **On**                                 |
| Request expiration reminders                                          | **On**                                 |
| Consent request expires after (days)                                  | e.g., **3 days**                       |

4. Click **Save**.

<div align="center"><figure><img src="https://1662683669-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA8kGzryHKp7UhDaLtzW%2Fuploads%2Fgit-blob-a5163eaf5fd52f51fb583726757dd87d271834e6%2Fo365_collector_prerequisites_admin_consent_settings.png?alt=media" alt="" width="800"><figcaption><p>O365 Collector Prerequisites: Admin consent settings</p></figcaption></figure></div>

{% hint style="success" %}
After this setup, if a non-admin user tries to use Tornado, they will be prompted to send a request to the designated reviewers. Reviewers will receive an email and can approve or reject the request.
{% endhint %}

## Workflow: User Consent Request Process

Once Admin Consent Workflow is enabled, non-admin users can request access to Tornado:

### 1. Sign in to Tornado

The user initiates sign-in to Tornado using their Microsoft 365 credentials.

<div align="center"><figure><img src="https://1662683669-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA8kGzryHKp7UhDaLtzW%2Fuploads%2Fgit-blob-960a0b25acbcd2ab164dd3429a8bced6dac239a6%2Fo365_collector_prerequisites_sign_in_to_tornado.png?alt=media" alt="" width="800"><figcaption><p>O365 Collector Prerequisites: Sign in to Tornado</p></figcaption></figure></div>

### 2. Request Access

If the user cannot consent to the required permissions, they are prompted to request access from an administrator.

<div align="center"><figure><img src="https://1662683669-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA8kGzryHKp7UhDaLtzW%2Fuploads%2Fgit-blob-8ded37317c662ae0b3c8be1866df94eb4b89ef76%2Fo365_collector_prerequisites_request_access_prompt.png?alt=media" alt="" width="800"><figcaption><p>O365 Collector Prerequisites: Request access prompt</p></figcaption></figure></div>

### 3. Submit Consent Request

The user submits their consent request, which is sent to the designated reviewers for approval.

<div align="center"><figure><img src="https://1662683669-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA8kGzryHKp7UhDaLtzW%2Fuploads%2Fgit-blob-b75c3e41759e605327ed0f8b9603cecae32168ab%2Fo365_collector_prerequisites_consent_request_submission.png?alt=media" alt="" width="800"><figcaption><p>O365 Collector Prerequisites: Consent request submission</p></figcaption></figure></div>

### 4. Review and Approve Request

Designated reviewers receive an email notification and can approve or reject the consent request from the Microsoft Entra Admin Center.

<div align="center"><figure><img src="https://1662683669-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA8kGzryHKp7UhDaLtzW%2Fuploads%2Fgit-blob-def5e343abedea57c82cd048deb85b0c67969570%2Fo365_collector_prerequisites_review_consent_request.png?alt=media" alt="" width="800"><figcaption><p>O365 Collector Prerequisites: Review consent request</p></figcaption></figure></div>

## Security & Management

You can monitor or revoke Tornado's permissions at any time via:

**Microsoft Entra Admin Center** → **Enterprise applications** → **Binalyze Tornado**

{% hint style="info" %}
All data access is controlled via OAuth2 and Microsoft Graph scopes.
{% endhint %}

## Resources

* [Configure Admin Consent Workflow (Microsoft Docs)](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow)
* [Configure User Consent Settings (Microsoft Docs)](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent)
* [Microsoft Entra Admin Center](https://entra.microsoft.com)
* [Overview of permissions and consent (Microsoft Docs)](https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview)
* [Grant tenant-wide admin consent (Microsoft Docs)](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent)