Overview

Nova Reporting uses service accounts to collect data from O365 tenants. Service accounts are used to collect data via PowerShell in cases where data can’t be collected via GraphAPI.
This article explains how to create a Read-Only Administrator account in Office 365 for use with Nova.  It is important that you complete all the steps. Service account can be created via:

  • PowerShell
  • Microsoft 365 Admin Center

It is recommended that you use the PowerShell method, as this contains less steps, however at the bottom of this article you can also find some steps on how to do this via the Admin Portal.
Your organization will not be charged by Microsoft for this account as it does not require an Office 365 licence.

Creating the Service Account using PowerShell

Connecting to Office 365

Before we begin, you need to install the “Microsoft Online Service Module” onto your machine. The “Set up your computer to use Powershell” section of our Connecting to Office 365 using PowerShell blog shows you how to do this.
Now open up Windows PowerShell and Copy & Paste in the following commands to connect to Office 365.
Please enter the username and password of an Office 365 Administrator account when prompted.

$Office365credentials = Get-Credential
Import-Module MSOnline
Connect-MsolService -Credential $Office365credentials

Creating the Service Account

Now that you are connected to Office 365 in PowerShell, we can create the Service account.
Modify the line below and set the company.onmicrosoft.com part to match your own Office 365 .onmicrosoft.com domain and replace the password with a secure password of your own. We recommend a password of 10 characters or more that includes a mixture of capital and lower case letters, numbers and special characters.

New-MSolUser -DisplayName "Service Account for Nova Reporting" -UserPrincipalName "NovaReporting@company.onmicrosoft.com" -Password "Password123" -PasswordNeverExpires $true -ForceChangePassword $false

Next we need to add our new account to the ‘Global reader’. You can do this by copying and pasting the following line into the PowerShell window.
Remember to set the company.onmicrosoft.com part to match your Office 365 domain name

Add-MSOLRoleMember –RoleName "Global reader" –RoleMemberEmailAddress NovaReporting@company.onmicrosoft.com

Please note that you will not receive any confirmation if the commands are successful. You can check if the service account was set correctly by running PowerShell commands below:

$role = Get-MsolRole -RoleName "Global reader"
Get-MsolRoleMember -RoleObjectId $role.ObjectId

Creating the Service Account via the Microsoft 365 Admin Center

You can also create the service account via the Microfost 365 Admin Center, however you would still need to run a final PowerShell cmdlet to ensure that the password does not expire.

  1. On the Admin home page, go to Users -> Active users and  click on button Add a user
  2. Enter a Display Name (“Service Account for Nova Reporting”)
  3. Enter a User Name (“NovaReporting”)
  4. Ensure that the domain is the company.onmicrosoft.com one
  5.  Select “Let me create a password” and enter a strong one
  6. Ensure “Require this user to change their password when they first sign in” is NOT ticked
  7. In Product licenses page choose “Create user without product license”
  8. In Optional settings page chose Admin center access and select Global reader
  9. Review all your data and click Finish adding in last page

Note

If the password of the service account needs to be changed or is expired, it must be changed in Office and in Tenant Management System Client.

If your company policy allows passwords to never expire you can do it via PowerShell:

Set-MsolUser -UserPrincipalName NovaReporting@company.onmicrosoft.com -PasswordNeverExpires $true
Print Friendly, PDF & Email