Bsure Documentation
back to bsure.io
  • Welcome
  • Installation
    • Overview
    • Prerequisites
    • Installation Instructions
  • Technical Description
    • Design Principles
    • Azure Managed Application
    • Permissions Required
    • Security​
      • Public IP and Storage Account Key considerations
    • Technical Architecture
    • Dataflow and visibility
  • User guides
    • Overview
    • Main Dashboard
    • Users
      • Dashboard
      • Members
      • Guests
      • Data Quality
      • Properties
      • Sign-in Map
      • Sign-in Locations
      • Drilldown
    • Microsoft Licenses
      • Cost Dashboard
      • Licenses Overview
      • Subscription Overview
      • Inactive and Disabled Users
      • Overlapping licenses
      • Cost Allocation
      • Drilldown
      • Price Settings
      • Add Your Own Prices
        • Average SKU Price Calculator
    • Applications
      • Usage
      • Cost
      • Sign-in Locations
        • Successful sign-ins from blocked countries?
    • Groups
    • Security
      • Dashboard
      • Authentiation Methods
      • Entra ID Roles
      • Service Principals
    • Devices
      • Windows Dashboard
      • Windows Inactive Devices
      • Windows OS
      • Windows Management
      • Devices per Person
      • Drilldown
    • Share the Power BI App
      • Share App only
      • Give Access to the Power BI Workspace
      • Share the Storage Account Access Key
      • Share with External Users
    • Update Power BI App
    • Glossary
  • Pricing & Billing
    • Pricing
    • Billing
  • Support
    • Support
    • Frequently Asked Questions
    • Troubleshooting
    • Release Notes
    • New features
      • User purpose property
  • Partners
    • Partner sell an offering including the app to the customers
    • Customer have a strict data protection regime
    • Partner uses the app without customer knowledge
    • General considerations
  • Policies
    • Privacy Policy
    • Terms & Conditions
  • RECOMMENDED ACTIONS
    • Recommended actions
      • Review Entra ID role assignments and create a strategy to offer such roles
      • Review and remove all inactive or unwanted accounts
        • Bulk deletion of users in Entra ID
      • Protect all users with MFA
      • Review and clean up applications with excessive permissions
Powered by GitBook
On this page
  1. Installation

Installation Instructions

How to install the Bsure Insights Marketplace app

PreviousPrerequisitesNextDesign Principles

Last updated 3 months ago

Make sure you have all the in place before you begin.

If you encounter any problems during the installation please review the .

Step 1 - Run the requirements check script

To install the Bsure Insights Data Collector you need to be a Global Administrator with the Owner RBAC role on at least 1 subscription in an Entra ID P1 enabled tenant. The script will validate that you meet those requirements.

Click the Azure Cloud Shell to start a PowerShell session. (If you have not used the Cloud Shell before, you will be prompted to select/create a storage account)

Copy this script to your clipboard:

#Builds Auth Headers for Graph API
$graphAPIReqHeader = @{
    Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token)"
    Host = "graph.microsoft.com"
    ConsistencyLevel = 'eventual'
}

# Get the signed in user's ID
$userId = $(az ad signed-in-user show --query id -o tsv)

# Gets the available licenses for the tenant
$licensesUrl = "https://graph.microsoft.com/v1.0/subscribedSkus"
$licenses = Invoke-RestMethod -Uri $licensesUrl -Headers $graphAPIReqHeader

# Check if the Azure AD Premium P1 license is available
$isP1Enabled = $licenses.value.servicePlans | Where-Object {$_.servicePlanName -eq "AAD_PREMIUM"} | Select-Object -First 1

$rolesUrl = "https://graph.microsoft.com/beta/rolemanagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId eq '$userId'"
$roles = Invoke-RestMethod -Uri $rolesUrl -Headers $graphAPIReqHeader

# Check if the user is a member of the Global Administrator role
$isGlobalAdmin = $roles.value | Where-Object {$_.roleDefinitionId -eq "62e90394-69f5-4237-9190-012177145e10"} | Select-Object -First 1

# Get the list of subscriptions
$subIds = $(az account list --query "[].id" -o tsv)

# Get the list of subscriptions where the user is a Resource Owner
$resSubCunt = $subIds | ForEach-Object{
    $(az role assignment list --assignee $userId --all --query "[?roleDefinitionName == 'Owner'].scope" --subscription "$_" -o tsv)
}

if($resSubCunt.Count -gt 1){
    $subscriptionReplacement = "subscriptions"
}else{
    $subscriptionReplacement = "subscription"
}

# Clear the screen
# Display the results
$allRequired = $isP1Enabled -and $isGlobalAdmin -and ($resSubCunt.Count -gt 0)
$allRequiredMessage = if ($allRequired) {"You have all the required permissions & licenses."} else {"You do not have all the required permissions & licenses."}
$aadP1Result = if ($isP1Enabled) {"Entra ID P1 is enabled in your tenant."} else {"Entra ID P1 is not enabled in your tenant."}
$globalAdminMessage = if ($isGlobalAdmin) {"You are a Global Administrator in your tenant."} else {"You are not a Global Administrator in your tenant."}
$ownerMessage = if ($resSubCunt.Count -gt 0) {"You have the Owner RBAC Role for $($resSubCunt.Count) $subscriptionReplacement."} else {"You are do not have the Owner RBAC Role on any subscription."}
$sb = {
Clear-Host
Write-Host "--------------------------" -ForegroundColor Yellow
Write-Host $aadP1Result -ForegroundColor $(if ($isP1Enabled) {"Green"} else {"Red"})
Write-Host $globalAdminMessage -ForegroundColor $(if ($isGlobalAdmin) {"Green"} else {"Red"})
Write-Host $ownerMessage -ForegroundColor $(if ($resSubCunt.Count -gt 0) {"Green"} else {"Red"})
Write-Host $allRequiredMessage -ForegroundColor $(if ($allRequired) {"Green"} else {"Red"})
Write-Host "--------------------------" -ForegroundColor Yellow
}
Invoke-Command -ScriptBlock $sb

#Press enter or exit the console

Paste the script to the PowerShell session, and hit Enter.

A failed run will contain red text on the failed checks:

Please correct any missing requirements and rerun the requirements check.

A successful run will contain all green text:

If all the checks are green it means you have the required access to proceed to Step 2:

Step 2 - Start the permissions script

To collect license and user information, the Bsure Insights Data Collector application need read permissions to your Azure Active Directory.

Click the Azure Cloud Shell to start a PowerShell session. (If you have not used the Cloud Shell before, you will be prompted to select/create a storage account)

Copy this script to your clipboard:

$BSureSpnName = 'Bsure-Umi-'

$BsurePermissions = @(
  "Directory.Read.All"
  "AuditLog.Read.All"
  "Domain.Read.All"
  "Reports.Read.All"
  "Policy.Read.All"
  "MailboxSettings.Read"
)

$RunStartTime = (Get-Date).AddMinutes(-30)
$RunAbortTime = (Get-Date).AddMinutes(30)

$GraphAppId = "00000003-0000-0000-c000-000000000000"

$msGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"

$RolesToAdd = $msGraphSpn.AppRole | Where-Object {($_.Value -in $BsurePermissions) -and ($_.AllowedMemberType -contains "Application")}

do{
    $spnBsure = (Get-AzADServicePrincipal -DisplayNameBeginsWith $BSureSpnName).Where({[datetime]($_.AdditionalProperties.createdDateTime) -ge $RunStartTime})
    Clear-Host
    Write-Host ""
    Write-Host "Waiting for the Bsure Azure Managed Application Installation..."
    Write-Host "Do not close this window"
    Write-Host ""

    Start-Sleep -Seconds 30
    if((Get-Date) -gt $RunAbortTime){
        Write-Host "Service principal not created within 30 minutes. Exiting..."
        exit
    }
}while($spnBsure.count -eq 0)

$spnBsure | ForEach-Object{

    $script:graphAPIReqHeader = @{
        Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token)"
        Host = "graph.microsoft.com"
    }

    $currentSPN = $_
    $currentSPN
    $assignedPermissionsUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentSPN.Id)/appRoleAssignments"

    $currentAssignments = Invoke-RestMethod -Method Get -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader | Select-Object -ExpandProperty value
    
    $RolesToAddClean = $RolesToAdd | Where-Object {($_.id -notin $($currentAssignments.appRoleId))}
    
    foreach($AppRole in $RolesToAddClean)
    {
        $body = @{
            principalId = $currentSPN.Id
            resourceId = $msGraphSpn.id
            appRoleId = $AppRole.id
        } | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii
    
        Invoke-RestMethod -Method Post -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader -Body $body -ContentType "application/json"
    }
    
    $RolesToRemoveClean = $currentAssignments.appRoleId | Where-Object {($_ -notin $($RolesToAdd.id))}
    
    foreach($AppRole in $RolesToRemoveClean)
    {
        $toRemoveId = $currentAssignments | Where-Object -Property appRoleId -eq $AppRole | Select-Object -ExpandProperty id
        Invoke-RestMethod -Method Delete -Uri "$assignedPermissionsUri/$toRemoveId" -Headers $script:graphAPIReqHeader
    }
}

Write-Host "Done setting permissions for $($spnBsure.DisplayName) ($($spnBsure.Id))"

Paste the script to the PowerShell session, and hit Enter.

The script will poll for Stage 3, do not wait for the script to complete, please start Stage 3 immediately after pasting the script and pressing enter.

The application will get read permissions to your Azure AD, and is able to collect license and user information once Step 2 completes.

You can see the permissions granted to the Collector app if you go to Azure Active Directory, Enterprise Applications and find the Bsure-Fn-DataCollector app.

IMPORTANT! Make sure you have the permissions script running before you proceed to Step 3. The installation will FAIL if you skip Step 2.

Step 3 - Install Bsure Insights Data Collector
  1. Login to using your Global Administrator credentials.

  2. Select Create a resource.

  3. In the Search services and marketplace box, enter Bsure Insights.

  4. From the results, select Bsure Insights for Microsoft 365 and Entra ID - Data Collector ().

  5. Select the default Plan Bsure PayGo, and click Create.

  6. On the Create Bsure Insights page, the first section is Basics.

    • Subscription - Select the subscription you have decided to use for your installation.

    • Resource group - Select your resource group, or create a new one if needed.

    • Region - Select your region (recommended to use the same region as your Storage Account).

    • Application Name - Select a name for the application.

    • Managed Resource Group - Use the provided name.

  7. The next section is Storage Configuration

    • Data Retention Days - Number of days to retain data in the storage account.

    • Storage Account 1 Connection String - Enter a valid Storage Account connection string. (You will find the connection string by going to your storage account and choose the menu Access Keys).

    • Confirm Connection String - Paste the same connection string again.

    • Advanced Configuration (Optional)

      Select only if you want to write data to a second Storage Account. A second storage account can be used for multi-tenant support, or as a separate archive (Data Retention Days does not apply to the second storage account).

  8. Select Next : Review + create After validation is passed, agree to the terms and conditions, and select Create.

  9. Wait for deployment to finish (less than 5 minutes).

After the installation is complete, the Data Collector will start collecting data within 15 minutes.

Step 4 - Install Bsure Insights Power Bi app
  1. Go to with a Power Bi Pro licensed user.

  2. Search for Bsure Insights, and select our app. You can also use this direct link:

  3. Select Get it now. (Sign in if prompted) If prompted - confirm your details, agree to the terms of use and select Get it now again.

  4. Select Install.

  5. Wait for installation to complete (less than 5 minutes)

  6. Go to Apps and start Bsure Insights

  7. You are now viewing the app with sample data. Select Connect your data in the yellow ribbon.

  8. Enter the Name of your storage account (from ) and select Next.

  9. Enter the Access Key to your storage account in the Account key field, and select Sign in and connect.

You should now be able to see your own data in the Power Bi app!

Typically, it is sufficient for a single user in your organization to install the Power BI app.

Step 5 - Configure Power BI app data refresh

Go to Workspaces and select Bsure Insights

Move mouse over Bsure Insights and select icon to configure refresh

Expand Refresh, Add another time and set it to 6 AM local time of Your Azure region.

Press apply

You can find instructions on how to share the app with others in our .

sharing guide
prerequisites
Frequently asked questions
Azure portal
direct link
Microsoft Appsource
Bsure Insights for Microsoft 365 and Entra ID
prerequisites