Installation Instructions

How to install the Bsure Insights Marketplace app

Make sure you have all the prerequisites in place before you begin.

If you encounter any problems during the installation please review the Frequently asked questions.

Step 1 - Run the requirements check script

To install the Bsure Insights Data Collector you need to be a Global Administrator with the Owner RBAC role on at least 1 subscription in an Entra ID P1 enabled tenant. The script will validate that you meet those requirements.

Click the Azure Cloud Shell to start a PowerShell session. (If you have not used the Cloud Shell before, you will be prompted to select/create a storage account)

Copy this script to your clipboard:

#Builds Auth Headers for Graph API
$graphAPIReqHeader = @{
    Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token)"
    Host = "graph.microsoft.com"
    ConsistencyLevel = 'eventual'
}

# Get the signed in user's ID
$userId = $(az ad signed-in-user show --query id -o tsv)

# Gets the available licenses for the tenant
$licensesUrl = "https://graph.microsoft.com/v1.0/subscribedSkus"
$licenses = Invoke-RestMethod -Uri $licensesUrl -Headers $graphAPIReqHeader

# Check if the Azure AD Premium P1 license is available
$isP1Enabled = $licenses.value.servicePlans | Where-Object {$_.servicePlanName -eq "AAD_PREMIUM"} | Select-Object -First 1

$rolesUrl = "https://graph.microsoft.com/beta/rolemanagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId eq '$userId'"
$roles = Invoke-RestMethod -Uri $rolesUrl -Headers $graphAPIReqHeader

# Check if the user is a member of the Global Administrator role
$isGlobalAdmin = $roles.value | Where-Object {$_.roleDefinitionId -eq "62e90394-69f5-4237-9190-012177145e10"} | Select-Object -First 1

# Get the list of subscriptions
$subIds = $(az account list --query "[].id" -o tsv)

# Get the list of subscriptions where the user is a Resource Owner
$resSubCunt = $subIds | ForEach-Object{
    $(az role assignment list --assignee $userId --all --query "[?roleDefinitionName == 'Owner'].scope" --subscription "$_" -o tsv)
}

if($resSubCunt.Count -gt 1){
    $subscriptionReplacement = "subscriptions"
}else{
    $subscriptionReplacement = "subscription"
}

# Clear the screen
# Display the results
$allRequired = $isP1Enabled -and $isGlobalAdmin -and ($resSubCunt.Count -gt 0)
$allRequiredMessage = if ($allRequired) {"You have all the required permissions & licenses."} else {"You do not have all the required permissions & licenses."}
$aadP1Result = if ($isP1Enabled) {"Entra ID P1 is enabled in your tenant."} else {"Entra ID P1 is not enabled in your tenant."}
$globalAdminMessage = if ($isGlobalAdmin) {"You are a Global Administrator in your tenant."} else {"You are not a Global Administrator in your tenant."}
$ownerMessage = if ($resSubCunt.Count -gt 0) {"You have the Owner RBAC Role for $($resSubCunt.Count) $subscriptionReplacement."} else {"You are do not have the Owner RBAC Role on any subscription."}
$sb = {
Clear-Host
Write-Host "--------------------------" -ForegroundColor Yellow
Write-Host $aadP1Result -ForegroundColor $(if ($isP1Enabled) {"Green"} else {"Red"})
Write-Host $globalAdminMessage -ForegroundColor $(if ($isGlobalAdmin) {"Green"} else {"Red"})
Write-Host $ownerMessage -ForegroundColor $(if ($resSubCunt.Count -gt 0) {"Green"} else {"Red"})
Write-Host $allRequiredMessage -ForegroundColor $(if ($allRequired) {"Green"} else {"Red"})
Write-Host "--------------------------" -ForegroundColor Yellow
}
Invoke-Command -ScriptBlock $sb

#Press enter or exit the console

Paste the script to the PowerShell session, and hit Enter.

A failed run will contain red text on the failed checks:

Please correct any missing requirements and rerun the requirements check.

A successful run will contain all green text:

If all the checks are green it means you have the required access to proceed to Step 2:

Step 2 - Start the permissions script

To collect license and user information, the Bsure Insights Data Collector application need read permissions to your Azure Active Directory.

Click the Azure Cloud Shell to start a PowerShell session. (If you have not used the Cloud Shell before, you will be prompted to select/create a storage account)

Copy this script to your clipboard:

$BSureSpnName = 'Bsure-Umi-'

$BsurePermissions = @(
  "Directory.Read.All"
  "AuditLog.Read.All"
  "Domain.Read.All"
  "Reports.Read.All"
  "Policy.Read.All"
)

$RunStartTime = (Get-Date).AddMinutes(-30)
$RunAbortTime = (Get-Date).AddMinutes(30)

$GraphAppId = "00000003-0000-0000-c000-000000000000"

$msGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"

$RolesToAdd = $msGraphSpn.AppRole | Where-Object {($_.Value -in $BsurePermissions) -and ($_.AllowedMemberType -contains "Application")}

do{
    $spnBsure = (Get-AzADServicePrincipal -DisplayNameBeginsWith $BSureSpnName).Where({[datetime]($_.AdditionalProperties.createdDateTime) -ge $RunStartTime})
    Clear-Host
    Write-Host ""
    Write-Host "Waiting for the Bsure Azure Managed Application Installation..."
    Write-Host "Do not close this window"
    Write-Host ""

    Start-Sleep -Seconds 30
    if((Get-Date) -gt $RunAbortTime){
        Write-Host "Service principal not created within 30 minutes. Exiting..."
        exit
    }
}while($spnBsure.count -eq 0)

$spnBsure | ForEach-Object{

    $script:graphAPIReqHeader = @{
        Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token)"
        Host = "graph.microsoft.com"
    }

    $currentSPN = $_
    $currentSPN
    $assignedPermissionsUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentSPN.Id)/appRoleAssignments"

    $currentAssignments = Invoke-RestMethod -Method Get -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader | Select-Object -ExpandProperty value
    
    $RolesToAddClean = $RolesToAdd | Where-Object {($_.id -notin $($currentAssignments.appRoleId))}
    
    foreach($AppRole in $RolesToAddClean)
    {
        $body = @{
            principalId = $currentSPN.Id
            resourceId = $msGraphSpn.id
            appRoleId = $AppRole.id
        } | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii
    
        Invoke-RestMethod -Method Post -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader -Body $body -ContentType "application/json"
    }
    
    $RolesToRemoveClean = $currentAssignments.appRoleId | Where-Object {($_ -notin $($RolesToAdd.id))}
    
    foreach($AppRole in $RolesToRemoveClean)
    {
        $toRemoveId = $currentAssignments | Where-Object -Property appRoleId -eq $AppRole | Select-Object -ExpandProperty id
        Invoke-RestMethod -Method Delete -Uri "$assignedPermissionsUri/$toRemoveId" -Headers $script:graphAPIReqHeader
    }
}

Write-Host "Done setting permissions for $($spnBsure.DisplayName) ($($spnBsure.Id))"

Paste the script to the PowerShell session, and hit Enter.

The script will poll for Stage 3, do not wait for the script to complete, please start Stage 3 immediately after pasting the script and pressing enter.

The application will get read permissions to your Azure AD, and is able to collect license and user information once Step 2 completes.

You can see the permissions granted to the Collector app if you go to Azure Active Directory, Enterprise Applications and find the Bsure-Fn-DataCollector app.

IMPORTANT! Make sure you have the permissions script running before you proceed to Step 3. The installation will FAIL if you skip Step 2.

Step 3 - Install Bsure Insights Data Collector

Login to Azure portal using your Global Administrator credentials.
Select Create a resource.
In the Search services and marketplace box, enter Bsure Insights.
From the results, select Bsure Insights for Microsoft 365 and Entra ID - Data Collector (direct link).
Select the default Plan Bsure PayGo, and click Create.
On the Create Bsure Insights page, the first section is Basics.
- Subscription - Select the subscription you have decided to use for your installation.
- Resource group - Select your resource group, or create a new one if needed.
- Region - Select your region (recommended to use the same region as your Storage Account).
- Application Name - Select a name for the application.
- Managed Resource Group - Use the provided name.
The next section is Storage Configuration
- Data Retention Days - Number of days to retain data in the storage account.
- Storage Account 1 Connection String - Enter a valid Storage Account connection string. (You will find the connection string by going to your storage account and choose the menu Access Keys).
- Confirm Connection String - Paste the same connection string again.
- Advanced Configuration (Optional)
  Select only if you want to write data to a second Storage Account. A second storage account can be used for multi-tenant support, or as a separate archive (Data Retention Days does not apply to the second storage account).
Select Next : Review + create After validation is passed, agree to the terms and conditions, and select Create.
Wait for deployment to finish (less than 5 minutes).

After the installation is complete, the Data Collector will start collecting data within 15 minutes.

Step 4 - Install Bsure Insights Power Bi app

Go to Microsoft Appsource with a Power Bi Pro licensed user.
Search for Bsure Insights, and select our app. You can also use this direct link: Bsure Insights for Microsoft 365 and Entra ID
Select Get it now. (Sign in if prompted) If prompted - confirm your details, agree to the terms of use and select Get it now again.
Select Install.
Wait for installation to complete (less than 5 minutes)
Go to Apps and start Bsure Insights
You are now viewing the app with sample data. Select Connect your data in the yellow ribbon.
Enter the Name of your storage account (from prerequisites) and select Next.
Enter the Access Key to your storage account in the Account key field, and select Sign in and connect.

You should now be able to see your own data in the Power Bi app!

Typically, it is sufficient for a single user in your organization to install the Power BI app.

You can find instructions on how to share the app with others in our sharing guide.

Step 5 - Configure Power BI app data refresh

Go to Workspaces and select Bsure Insights

Move mouse over Bsure Insights and select icon to configure refresh

Expand Refresh, Add another time and set it to 6 AM local time of Your Azure region.

Press apply

PreviousPrerequisites NextDesign Principles

Last updated 1 month ago

#Builds Auth Headers for Graph API $graphAPIReqHeader = @{ Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token)" Host = "graph.microsoft.com" ConsistencyLevel = 'eventual' } # Get the signed in user's ID $userId = $(az ad signed-in-user show --query id -o tsv) # Gets the available licenses for the tenant $licensesUrl = "https://graph.microsoft.com/v1.0/subscribedSkus" $licenses = Invoke-RestMethod -Uri $licensesUrl -Headers $graphAPIReqHeader # Check if the Azure AD Premium P1 license is available $isP1Enabled = $licenses.value.servicePlans | Where-Object {$_.servicePlanName -eq "AAD_PREMIUM"} | Select-Object -First 1 $rolesUrl = "https://graph.microsoft.com/beta/rolemanagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId eq '$userId'" $roles = Invoke-RestMethod -Uri $rolesUrl -Headers $graphAPIReqHeader # Check if the user is a member of the Global Administrator role $isGlobalAdmin = $roles.value | Where-Object {$_.roleDefinitionId -eq "62e90394-69f5-4237-9190-012177145e10"} | Select-Object -First 1 # Get the list of subscriptions $subIds = $(az account list --query "[].id" -o tsv) # Get the list of subscriptions where the user is a Resource Owner $resSubCunt = $subIds | ForEach-Object{ $(az role assignment list --assignee $userId --all --query "[?roleDefinitionName == 'Owner'].scope" --subscription "$_" -o tsv) } if($resSubCunt.Count -gt 1){ $subscriptionReplacement = "subscriptions" }else{ $subscriptionReplacement = "subscription" } # Clear the screen # Display the results $allRequired = $isP1Enabled -and $isGlobalAdmin -and ($resSubCunt.Count -gt 0) $allRequiredMessage = if ($allRequired) {"You have all the required permissions & licenses."} else {"You do not have all the required permissions & licenses."} $aadP1Result = if ($isP1Enabled) {"Entra ID P1 is enabled in your tenant."} else {"Entra ID P1 is not enabled in your tenant."} $globalAdminMessage = if ($isGlobalAdmin) {"You are a Global Administrator in your tenant."} else {"You are not a Global Administrator in your tenant."} $ownerMessage = if ($resSubCunt.Count -gt 0) {"You have the Owner RBAC Role for $($resSubCunt.Count) $subscriptionReplacement."} else {"You are do not have the Owner RBAC Role on any subscription."} $sb = { Clear-Host Write-Host "--------------------------" -ForegroundColor Yellow Write-Host $aadP1Result -ForegroundColor $(if ($isP1Enabled) {"Green"} else {"Red"}) Write-Host $globalAdminMessage -ForegroundColor $(if ($isGlobalAdmin) {"Green"} else {"Red"}) Write-Host $ownerMessage -ForegroundColor $(if ($resSubCunt.Count -gt 0) {"Green"} else {"Red"}) Write-Host $allRequiredMessage -ForegroundColor $(if ($allRequired) {"Green"} else {"Red"}) Write-Host "--------------------------" -ForegroundColor Yellow } Invoke-Command -ScriptBlock $sb #Press enter or exit the console

$BSureSpnName = 'Bsure-Umi-' $BsurePermissions = @( "Directory.Read.All" "AuditLog.Read.All" "Domain.Read.All" "Reports.Read.All" "Policy.Read.All" ) $RunStartTime = (Get-Date).AddMinutes(-30) $RunAbortTime = (Get-Date).AddMinutes(30) $GraphAppId = "00000003-0000-0000-c000-000000000000" $msGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'" $RolesToAdd = $msGraphSpn.AppRole | Where-Object {($_.Value -in $BsurePermissions) -and ($_.AllowedMemberType -contains "Application")} do{ $spnBsure = (Get-AzADServicePrincipal -DisplayNameBeginsWith $BSureSpnName).Where({[datetime]($_.AdditionalProperties.createdDateTime) -ge $RunStartTime}) Clear-Host Write-Host "" Write-Host "Waiting for the Bsure Azure Managed Application Installation..." Write-Host "Do not close this window" Write-Host "" Start-Sleep -Seconds 30 if((Get-Date) -gt $RunAbortTime){ Write-Host "Service principal not created within 30 minutes. Exiting..." exit } }while($spnBsure.count -eq 0) $spnBsure | ForEach-Object{ $script:graphAPIReqHeader = @{ Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token)" Host = "graph.microsoft.com" } $currentSPN = $_ $currentSPN $assignedPermissionsUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentSPN.Id)/appRoleAssignments" $currentAssignments = Invoke-RestMethod -Method Get -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader | Select-Object -ExpandProperty value $RolesToAddClean = $RolesToAdd | Where-Object {($_.id -notin $($currentAssignments.appRoleId))} foreach($AppRole in $RolesToAddClean) { $body = @{ principalId = $currentSPN.Id resourceId = $msGraphSpn.id appRoleId = $AppRole.id } | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii Invoke-RestMethod -Method Post -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader -Body $body -ContentType "application/json" } $RolesToRemoveClean = $currentAssignments.appRoleId | Where-Object {($_ -notin $($RolesToAdd.id))} foreach($AppRole in $RolesToRemoveClean) { $toRemoveId = $currentAssignments | Where-Object -Property appRoleId -eq $AppRole | Select-Object -ExpandProperty id Invoke-RestMethod -Method Delete -Uri "$assignedPermissionsUri/$toRemoveId" -Headers $script:graphAPIReqHeader } } Write-Host "Done setting permissions for $($spnBsure.DisplayName) ($($spnBsure.Id))"