Optimize365 Scanning Feature
This guide walks you through enabling the required 'Global Reader' role for Optimize365's security audit scanning to ensure comprehensive visibility.
Prerequisites
- Global Reader access in Microsoft Entra ID
Enabling Scanning roless
Step 1: Verify Global Reader role (You may need to do this per tenant)
Option 1:
- Sign in to the Microsoft Entra admin center (opens in a new tab)
- Browse to Entra ID > Roles & admins (Press - Show more.. if you cant see it)
- Select the Global Reader (Double-Click on it)
- Select Add assignments and search for "Optimize365 Official" (AppId: daf90830-f34f-4ba6-986d-3774a1577225) and press Add
- It will appear on the list once it has been added
Option 2:
Alternatively, run this PowerShell:
# PowerShell script to verify and add Global Reader role for Optimize365
# First, connect to Microsoft Graph PowerShell
Connect-MgGraph
# Optimize365 AppId
$appId = "daf90830-f34f-4ba6-986d-3774a1577225"
# Get service principal for Optimize365
$servicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$appId'"
if ($null -eq $servicePrincipal) {
Write-Host "❌ Optimize365 service principal not found in this tenant. Verify the AppId is correct." -ForegroundColor Red
exit
}
Write-Host "✅ Found Optimize365 service principal: $($servicePrincipal.DisplayName)" -ForegroundColor Green
# Get Global Reader role
$globalReaderRole = Get-MgDirectoryRole -Filter "DisplayName eq 'Global Reader'"
if ($null -eq $globalReaderRole) {
# Role may not be activated yet, activate it
Write-Host "Global Reader role not activated yet, activating..." -ForegroundColor Yellow
# Get role template
$roleTemplate = Get-MgDirectoryRoleTemplate -Filter "DisplayName eq 'Global Reader'"
if ($null -eq $roleTemplate) {
Write-Host "❌ Unable to find Global Reader role template. Contact support." -ForegroundColor Red
exit
}
# Activate the role
$globalReaderRole = New-MgDirectoryRole -RoleTemplateId $roleTemplate.Id
Write-Host "✅ Global Reader role has been activated" -ForegroundColor Green
}
# Check if Optimize365 already has Global Reader role
$members = Get-MgDirectoryRoleMember -DirectoryRoleId $globalReaderRole.Id
$hasRole = $members | Where-Object { $_.Id -eq $servicePrincipal.Id }
if ($null -ne $hasRole) {
Write-Host "✅ Optimize365 already has the Global Reader role" -ForegroundColor Green
} else {
# Add Optimize365 to Global Reader role
Write-Host "Adding Optimize365 to Global Reader role..." -ForegroundColor Yellow
try {
New-MgDirectoryRoleMemberByRef -DirectoryRoleId $globalReaderRole.Id -BodyParameter @{
"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($servicePrincipal.Id)"
}
Write-Host "✅ Successfully added Optimize365 to Global Reader role" -ForegroundColor Green
} catch {
Write-Host "❌ Failed to add Optimize365 to Global Reader role: $_" -ForegroundColor Red
Write-Host " Please add the role manually in Microsoft Entra admin center" -ForegroundColor Yellow
}
}
# Now check scanning access
Write-Host "`nVerifying Scanning role..." -ForegroundColor Cyan
try {
# Test if we can access necessary security configurations
$policies = Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy -ErrorAction Stop
Write-Host "✅ Successfully accessed security policies" -ForegroundColor Green
} catch {
Write-Host "❌ Cannot access security policies: $_" -ForegroundColor Red
Write-Host " Global Reader role may not be fully applied yet" -ForegroundColor Yellow
}
# Disconnect session
Disconnect-MgGraph
Write-Host "`n✅ Role verification complete" -ForegroundColor GreenWhy Global Reader is Required
Without Global Reader role, Optimize365 can only audit limited security controls. Some controls are not supported via just MS-Graph, and require this role to preform via a Powershell cmdlet.
That being said, we have added support for a Basic Baseline that gives you some controls that do not need the Global Reader role. This is for some basic prospecting needs, with mimimal friction.
Need Help?
Contact [email protected] if you encounter any issues.