Skip to main content

Office 365 Management


Office 365 is a line of online subscription services offered by Microsoft in their Microsoft Office product suite. Office 365 covers document creation and management, emailing, video conferencing and many more collaboration offerings. The Centreon Plugin relies on the Office 365 Graph API to collect and monitor the Office 365 information and metrics.

Monitoring Connector Assets​

Monitored objects​

  • Application credentials: Expiration of key and password credentials for each applications.
  • Office services: Applications available on the Office 365 portal: Exchange Online, Microsoft Intune, Skype for Business, Mobile Device Management for Office 365, OneDrive for Business, SharePoint Online, Microsoft Teams, etc...
  • Subscriptions: Commercial subscriptions that an organization has acquired

Collected metrics & status​

Metric nameUnit
password status
key status


More information is available in the official Microsoft documentation:

Register an application in Azure AD​

The Office 365 Management APIs use Azure AD to provide secure authentication to Office 365 tenant data. To access the Office 365 Management APIs, you need to register your app in Azure AD, and as part of the configuration, you will specify the permission levels your app needs to access the APIs.

To register your app in Azure AD, you need a subscription to Office 365 and a subscription to Azure that has been associated with your Office 365 subscription. After you have a Microsoft tenant with the proper subscriptions, you can register your application in Azure AD.

  1. Sign into the Azure management portal, using the credential of your Microsoft tenant that has the subscription to Office 365 you wish to use. You can also access the Azure Management Portal via a link that appears in the left navigation pane in the Office admin portal.
  2. In the left navigation panel, choose Active Directory. Make sure the Directory tab is selected, and then select the directory name.
  3. On the directory page, select Applications. Azure AD displays a list of the applications currently installed in your tenancy.
  4. Choose Add.
  5. Select Add an application my organization is developing.
  6. Enter the name of your application and specify the Type as "CENTREON API WEB".
  7. Enter the appropriate App properties:
  • SIGN-ON URL: The URL where users can sign in and use your app. You can change this later as needed.
  • APP ID URI. The URI used as a unique logical identifier for your app. The URI must be in a verified custom domain for an external user to grant your app access to their data in Windows Azure AD.

Configure your application properties in Azure AD​

Now that your application is registered, there are several important properties you must specify that determine how your application functions within Azure AD and how tenant admins will grant consent to allow your application to access their data by using the Office 365 Management APIs.

  1. CLIENT ID: This value is automatically generated by Azure AD. Your application will use this value when requesting consent from tenant admins and when requesting app-only tokens from Azure AD.
  2. APPLICATION IS MULTI-TENANT: This property must be set to YES to allow tenant admins to grant consent to your app to access their data by using the Office 365 Management APIs. If this property is set to NO, your application will only be able to access your own tenant's data.
  3. REPLY URL: This is the URL that a tenant admin will be redirected to after granting consent to allow your application to access their data by using the Office 365 Management APIs. You can configure multiple reply URLs as needed. Azure automatically sets the first one to match the sign-on URL you specified when you created the application, but you can change this value as needed.

Be sure to choose Save after making any changes to these properties.

Generate a new key for your application​

  1. In the Azure Management Portal, select your application and choose Configure in the top menu. Scroll down to keys.
  2. Select the duration for your key, and choose Save.
  3. Azure displays the app secret only after saving it. Select the Clipboard icon to copy the client secret to the Clipboard.

    Warning : As the app secret will only be displayed once, remember to save it for later.

Configure an X.509 certificate to enable service-to-service calls​

You must configure an X.509 certificate with your application to be used as client credentials when requesting app-only access tokens from Azure AD. There are two steps to the process:

  • Obtain an X.509 certificate: You can use a self-signed certificate or a certificate issued by publicly trusted certificate authority.
  • Modify your application manifest to include the thumbprint and public key of your certificate.

Specify the permissions your app requires to access the Office 365 Management APIs​

Finally, you need to specify exactly what permissions your app requires of the Office 365 Management APIs. To do so, you add access to the Office 365 Management APIs to your app, and then you specify the permission(s) you need:

  1. In the Azure Management Portal, select your application, and choose Configure in the top menu. Scroll down to permissions to other applications, and choose Add application.
  2. Select the Office 365 Management APIs so that it appears in the Selected column, and then select the check mark in the lower right to save your selection and return to the main configuration page for your application.
  3. The Office Management APIs now appear in the list of applications to which your application requires permissions. Under both Application Permissions and Delegated Permissions, select the permissions your application requires. Refer to the specific API reference for more details about each permission.

Add permissions to Microsoft Graph​

You also need to specify permissions for Microsoft Graph for both the Application and Delegated types of permissions. You will have to set the following privileges:

  "roles": [

Request access tokens from Azure AD​

After a tenant admin grants consent, your application receives an authorization code as a query string parameter when Azure AD redirects the tenant admin to your designated URL.

More information on how to get the token based on the authorization code is detailed here:


  1. Install the Centreon package on every poller expected to monitor Office 365 ressources:
yum install centreon-plugin-Cloud-Microsoft-Office365-Management-Api
  1. On the Centreon Web interface, install the Pack on the Configuration > Monitoring Connector Manager page.


Log into Centreon and add a new host through "Configuration > Hosts". In the host configuration form, apply the "Cloud-Microsoft-Office365-Management-Api-Custom" template and set the macros marked as mandatory below:

XOFFICE365TENANTOffice 365 tenant ID
XOFFICE365CLIENTIDOffice 365 client ID
XOFFICE365CLIENTSECRETOffice 365 client secret


How to test the Plugin through the CLI and what are the main parameters for ?​

Once the Centreon plugin installed, you can test it directly on the Centreon Poller by logging into the CLI with the centreon-engine user:

/usr/lib/centreon/plugins// \
--plugin=cloud::microsoft::office365::management::plugin \
--mode=service-status \
--tenant='b3dd23de-593f3cfe-4d741212-bcf9-f035c1a2eb24' \
--client-id='76f82731-073b-4eb2-9228-901d252d2cb6-1b0d' \
--client-secret='9/kRTASjPoy9FJfQZg6iznX\AkzCGertBgNq5r3tPfECJfKxj6zA=' \
--filter-service-name='Exchange Online' \
--critical-status='%{status} !~ /serviceOperational|serviceRestored/i' \

OK: Service 'Exchange Online' status is 'serviceOperational' |

The above command requests the Office 365 Graph API (--plugin=cloud::microsoft::office365::management::plugin) with a set of credentials previously defined (--tenant='b3dd23de-593f3cfe-4d741212-bcf9-f035c1a2eb24' --client-id='76f82731-073b-4eb2-9228-901d252d2cb6-1b0d' --client-secret='9/kRTASjPoy9FJfQZg6iznX\AkzCGertBgNq5r3tPfECJfKxj6zA='). This command aims to check the status of the Exchange Online service (--mode=service-status --filter-service-name='Exchange Online'). A CRITICAL alert would be triggered if the Exchange Online returned service status is not serviceOperational (--critical-status='%{status}).

When executing the command, I get the following error message: UNKNOWN: Cannot decode json response​

If you receive this message, add the --debug option to the command to get more information about the error:

--filter-service-name='Exchange Online'
--warning-status='' \
--critical-status='%{status} !~ /serviceOperational|serviceRestored/i' \
--debug \

UNKNOWN: Cannot decode json response: malformed JSON string, neither tag, array, object, number,
string or atom, at character offset 0 (before "System.Collections.G...") at
/usr/lib/centreon/plugins/ line xxx

Most common reasons for this message are:

  • Check that the tenant id / client id / client secret credentials are properly set. If any modification is made on the associated privileges, delete the Plugin cache file: /var/lib/centreon/centplugins/office365_managementapi_*.
  • The Plugin cannot connect to the Office 365 API: there might be a third-party device (Firewall, Proxy...) dropping the flows.
  • The "lwp" web library used by the Plugin in unable to properly handle the request. Prevent this behavior by using the "curl" backend. Just add the following option --http-backend=curl to the command.

How do I get a description of the available options ?​

The whole list of options and their usage can be displayed by adding the --help parameter to the command:

/usr/lib/centreon/plugins// \
--plugin=cloud::microsoft::office365::management::plugin \
--mode=service-status \