How to setup Microsoft Graph Data Collection when using Windows 2012 R2 Data Collection Machine for Office 365 Assessments

This article is for customers who has already setup their data collection machine to use Windows Server 2012 R2.


  • Data Collection Machine running Windows Server 2012 R2 (not required on machines running Windows 10 or Windows Server 2016)
  • Data collection machine requires internet access

Login into Data Collection machine running Windows Server 2012 R2.

Install PowerShell 5.0

Download file and run file. Agree to install Windows Update Standalone Installer.

Restart once Installation is complete.

Once machine has restarted Log in and Open PowerShell as Administrator.

Run the command $host.

With PowerShell 5.0+ installed you can now download the prerequisites from PowerShell.

In the same session run the following commands, and ensure to select Y to agree to install:

Install-Module AzureADPreview -Force -AllowClobber -Verbose
Install-Module MSOnline -Force -Verbose
Install-Module SharePointPnPPowerShellOnline -Verbose -AllowClobber -Force 

Close and reopen PowerShell.

The Data Collection Prerequisites should now be setup. Now we can run setup.

Setting up the SharePoint Online Assessment

On the designated data collection machine, complete the following:

  1. Open the Windows PowerShell command prompt as an Administrator.

  1. Define the Credentials for the assessment to use:
  • Ex. $AADTenantCred = Get-Credential
  • Ex. $Office365SPOCCred = Get-Credential
  1. Run the following command: Add-SharePointOnlineAssessmentTask -AzureEnvironment AzureCloud –WorkingDirectory <Directory> -O365SharePointUsername $Office365SPOCred.username -O365SharePointPassword $Office365SPOCred.password -AADUsername $Office365SPOCred.username -AADPassword $Office365SPOCred.password

Where is the path to an existing directory used to store the files created while collecting and analyzing the data from the environment.


$AADTenantCred = Get-Credential
$Office365SPOCred = Get-Credential
Add-SharePointOnlineAssessmentTask –AzureEnvironment AzureCloud -WorkingDirectory "D:\OMS" -O365SharePointUsername $Office365SPOCred.username -O365SharePointPassword $Office365SPOCred.password -AADUsername $AADTenantCred.username -AADPassword $AADTenantCred.password
  1. You will be promoted to enter an account that will be able to run a scheduled task on the Tools machine. Provide the required user account credentials to run the Scheduled Task. These credentials are used to run the SharePoint Online Assessment.

  2. The script will continue with the necessary configuration. It will create a scheduled task that will trigger the data collection.

  3. Data collection is triggered by the scheduled task named SharePointOnlineAssessment within an hour of running the previous script and then every 7 days. The task can be modified to run on a different date/time or even forced to run immediately.

7. During collection and analysis, data is temporarily stored under the WorkingDirectory folder that was configured during setup. Here is an example image of the folder structure:

8. After data collection and analysis is completed on the tools machine, it will be submitted to your Azure Log Analytics workspace. 9. Data Collection takes approximately 30 minute to 60 minutes. 10. Your assessment results will be available to view on your OMS Dashboard. Click the **SharePoint Online Assessment** tile to review:

11. You will then be presented with findings grouped by the focus area.

## New Release - Updating Assessment to use Microsoft Graph API

This step will need to be run on a Windows 10 or Windows Server 2016 Server.

Before starting to setup the AAD Application, check the tools machine to see if the ability to import the config is available. This can be checked by navigating to: C:\Program Files\Microsoft Monitoring Agent\Agent\PowerShell if in this location you find the folder Microsoft.Assessments.AADApplicationManager this means that the cmdlets to allow import of the registry and certificates is available on the tools machine.

On the Windows Server 2016 or Windows 10 machine. you need to install the Microsoft Monitoring Agent and connect it to a workspace. Please refer to the following video on how to Install the Microsoft Monitoring Agent

Once the assessment is setup, we can check to see if the necessary files exist. This can be checked by navigating to: C:\Program Files\Microsoft Monitoring Agent\Agent\PowerShell; if in this location you find the folder Microsoft.Assessments.AADApplicationManager this means that the cmdlets to allow create the Azure AAD Application for Microsoft Assessments is available.

Open PowerShell as a Administrator and then run the following on the Windows 2016/Windows 10 machine.


This script will run and then prompt for Global Administrator Credentials:

Once credentials have been setup, a browser will open that will ask for consent.

Now that the App has been setup we will need to export te registry and license keys, so that we can import on our Windows 2012 R2 server.

From PowerShell as an Administrator run:


This will prompt for Password to Export the Certificate (This Password must be remembered as will be used later to import).

This will generate AADApplicationData.txt which will need to be copied to the Windows Server 2012 R2 tools machine. this file will be created in the location where the command was run from, so from the exmaple screenshots the file was created in C:\Windows\System32.

Once file is copied, we can import the settings. In PowerShell navigate to the directory where the file was copied and run:


Enter the password used when the settings were exported.

You can test the settings by running:


With these settings imported. If the SharePoint Online Assessment was already setup, then the next collection should work and will automatically utilize the GraphAPI to collect data.

If the assessment did not get setup you, you can follow the instructions on setting up the SharePoint Online Assessment.

For general feedback on the Resource Center or content, please submit your response to UserVoice. For specific requests and content updates regarding the Services Hub, contact our Support Team to submit a case.