Part 1: Setup & Configuration
Introduction
Microsoft 365 is typically the largest SaaS spend in any organisation. SAM Pro enables you to track your M365 subscriptions and usage to determine license compliance and act on optimization opportunities â including automated license removal.
This is Part 1 of a 2-part series on M365 optimization with SAM Pro:
- Setup & Configuration (this article)
- Compliance, Optimization & Reclamation
This article covers everything you need to set up the M365 integration, from prerequisites through to creating your entitlements. The structure follows the Microsoft 365 Guided Setup in the Success Portal.
Guided Setup vs Manual Configuration
SAM Pro offers a Guided Setup that walks you through each step with prescriptive guidance. This is the recommended approach for most practitioners.
Using the Guided Setup (Recommended)
The Guided Setup takes you through three phases:
- Prerequisites
- SAM Configurations
- Verification (covered in Part 2)
It tracks your progress and validates each step.
To access the Guided Setup:
- Navigate to Workspaces â Software Asset Workspace â Success Portal
- Select the Product Setups tab
Then either:
Option A:
- On the Product Setups page, select Get Started on the Microsoft 365 tile
Option B:
- Select Set up product
- In the Set up product dialog box, select SaaS from the Setup type dropdown
- Select Microsoft 365 in the Integration profile field
- Select Next
đĽ Video: Microsoft 365 Guided Setup Overview
Detailed Configuration
The rest of this article provides the detailed steps. If you're using the Guided Setup, this serves as a reference for understanding what each step accomplishes.
Phase 1: Prerequisites
Complete these prerequisites before beginning the SAM configurations.
1.1 Install SAM Professional for Microsoft
Install the Software Asset Management Professional for Microsoft plugin (com.snc.samp.microsoft) to access the Microsoft Publisher pack features in the Software Asset Management application.
| Plugin | ID |
|---|---|
| SAM Professional for Microsoft | com.snc.samp.microsoft |
1.2 Install ITAM Health Check
Install the ITAM Health Check application to get an overview of your Software Asset Management configurations and receive recommendations for correcting errors.
The application is available in the ServiceNow Store.
1.3 Install SaaS License Management
Install the Software Asset Management - SaaS License Management plugin (com.sn_sam_saas_int) to create and manage integrations with your SaaS and Single Sign-On (SSO) applications. These integrations enable you to track license usage and reclaim unused licenses effectively.
| Plugin | ID |
|---|---|
| SaaS License Management | com.sn_sam_saas_int |
1.4 Install Microsoft Entra ID Spoke
Install the Microsoft Entra ID Spoke (formerly Azure AD Spoke) to enable automated integration with the Microsoft 365 Admin Center for license removal and other scenarios.
â ď¸ Note: An Integration Hub subscription is required for this spoke. For more information, see Integration Hub documentation.
Without the Entra ID Spoke, reclamation workflows will identify candidates but require manual license removal in the M365 Admin Center.
1.5 Receive Latest Updates from Content Service
Update your instance with new content twice every week on a scheduled basis through Software Asset Management Content Service.
The Software Asset Management application provides automated content to simplify the normalization of software installations and subscriptions, offering enriched data such as:
- Lifecycle information
- Downgrade rights
- Suite definitions
This data is essential for maintaining accurate license compliance and optimization.
1.6 Create a Success Goal
Create a success goal to track the success of Microsoft 365 configuration setup on the Software Asset Management application.
This goal helps you monitor progress through the setup phases and provides visibility for stakeholders.
đĄ Note: You'll create a second success goal in Part 2 to track ongoing license management and optimization.
Phase 2: SAM Configurations
Configure your Software Asset Management application, including setting up user accounts, managing licenses, and confirming compliance with Microsoft's software usage policies.
2.1 Register Application on Microsoft Entra ID
Register an application on Microsoft Entra ID (formerly Azure Active Directory) that enables the retrieval of all subscriptions provisioned in the Microsoft 365 Admin Center.
đĽ Video: Register a Microsoft Azure AD Application
Required Access
You need Global Administrator privileges in Microsoft Entra ID.
Process
- Log into the Azure Portal with Global Administrator credentials
- Navigate to Microsoft Entra ID (Azure Active Directory) â App registrations
- Click New registration
- Enter a name (e.g., "ServiceNow M365 Integration")
- Select Multi-tenant for supported account types
- Click Register
Capture Your IDs
After registration, copy and save these values â you'll need them for ServiceNow:
| Field | Where to Find It |
|---|---|
| Application (client) ID | Overview page |
| Directory (tenant) ID | Overview page |
Create a Client Secret
- Navigate to Manage â Certificates & secrets
- Click New client secret
- Enter a description (e.g., "ServiceNow M365 Integration")
- Select an expiration period (180 days, 1 year, 2 years, or never)
- Click Add
- Copy the VALUE immediately (not the Secret ID)
â ď¸ Warning: Copy the Value field, not the Secret ID. The value is only shown once â if you navigate away, you'll need to create a new secret.
â ď¸ Secret Expiration: If you set an expiration, you must renew before it expires or your integration jobs will fail.
Configure API Permissions
- Navigate to Manage â API permissions
- Click Add a permission
- Select Microsoft Graph
- Select Application permissions
- Add these permissions:
| Permission | Purpose |
|---|---|
| User.Read.All | Download subscription assignments |
| Organization.Read.All | Download subscription data |
| Reports.Read.All | Pull user activity/usage data |
For automated license removal (requires Entra ID Spoke), also add:
| Permission | Purpose |
|---|---|
| GroupMember.ReadWrite.All | Manage group membership for reclamation |
| LicenseAssignment.ReadWrite.All | Remove licenses automatically |
- Click Grant admin consent (button above the permissions list)
- Verify all permissions show "Granted" status
â ď¸ Important: Only a Global Administrator can grant admin consent. Without this step, the integration won't work.
2.2 Configure Power BI Usage
Enable service principal authentication for Power BI read-only APIs to enable your application access to Power BI service content and APIs. This access helps optimize your Microsoft 365 subscriptions, such as downgrading subscriptions from Office 365 E5 to Office 365 E3 or removing Power BI low-usage subscriptions.
đĽ Video: Enable Service Principal Authentication for Power BI
Required Access
You need:
- Global Administrator privileges in Microsoft Entra ID
- Power BI Administrator privileges
Create a Security Group in Azure
- In Azure Portal, navigate to Microsoft Entra ID â Groups â All groups
- Click New group
- Configure:
- Group type: Security
- Group name: (e.g., "ServiceNow M365 Integration")
- Membership type: Assigned
- Click Create
Add Your Application to the Security Group
- Find your newly created security group
- Go to Manage â Members
- Click Add members
- Search for your application name
- Select the Enterprise application (not the group with the same name)
- Click Select
Enable in Power BI Admin Portal
- Go to Power BI Admin Portal
- Log in with Power BI Administrator credentials
- Navigate to Tenant settings
- Find the Admin API settings section
- Expand "Service principals can access read-only admin APIs"
- Toggle to Enabled
- In the security group field, add your security group
- Click Apply
â ď¸ 15-Minute Delay: Changes take up to 15 minutes to replicate. Wait before testing the integration.
â ď¸ Permission Management: After enabling this setting, Azure portal application permissions for Power BI are no longer effective. All Power BI permissions must be managed through the Power BI Admin Portal.
2.3 Prevent Anonymous User Information
By default, Microsoft hides the user names of subscribers in the Microsoft 365 Admin Center, preventing ServiceNow from accurately tracking Microsoft 365 license usage. To resolve this issue, disable this anonymization feature in the Microsoft 365 Admin Center.
đĽ Video: Configure Updates on Microsoft 365 Admin Center
Process
- Log into the M365 Admin Center
- Click Show all in the left navigation (Settings may be hidden)
- Navigate to Settings â Settings
- Scroll down and click Reports
- Deselect "Display concealed user, group, and site names in all reports"
- Click Save
â ď¸ Critical: This setting is ON by default. If you don't disable it, all subscription data will show masked user IDs instead of actual names, and SAM Pro cannot determine who owns which subscription.
2.4 Set Up Microsoft 365 Integration Profile
Create a Microsoft 365 integration profile in the Software Asset Management application to import user subscription data, determine license compliance, and identify optimization opportunities. If you manage multiple tenants, create a separate integration profile for each.
đĽ Video: Create a Microsoft 365 Integration Profile
Required Roles
| Action | Required Role |
|---|---|
| Create integration profile | Administrator, SAM Administrator, or SAM Integrator |
| Execute scheduled jobs manually | System Administrator |
Create the Profile
- Navigate to License Operations â Direct Integration Profiles
- Click New
- Select Microsoft M365 from the dropdown
- Click Continue
- Fill in the form:
| Field | Value |
|---|---|
| Name | Microsoft 365 (or your preferred name) |
| Client ID | (from Step 2.1) |
| Tenant ID | (from Step 2.1) |
| Client Secret | (the VALUE from Step 2.1) |
- Click Submit
- Click "Publish" â don't skip this step!
- Refresh and verify status shows "Published"
Configure for Government Customers (If Applicable)
The ServiceNow platform supports Microsoft 365 Government plans, offering all the features of Microsoft 365 services within a government-exclusive cloud. This setup helps organisations comply with U.S. security and compliance standards.
If your organisation uses Microsoft 365 Government plans, configure the integration profile to connect to the government-exclusive cloud endpoints. Refer to ServiceNow documentation for government-specific endpoint configuration.
2.5 Configure Usage for Copilot, Visio, and Project
Microsoft doesn't provide APIs to get usage directly for Microsoft 365 subscription products such as Microsoft Visio, Microsoft Project, and Microsoft Copilot. However, you can download activity reports for these products from the Microsoft 365 Admin Center.
Microsoft 365 administrators can download these reports and SAM Admins can attach them unmodified to the integration profile in the Software Asset Management application. The scheduled jobs within ServiceNow will then process these reports and identify reclamation candidates if the usage is low.
đĽ Video: Semi-Automated Import for Visio, Project and Copilot Usage Data
Download Reports from M365 Admin Center
- Log into M365 Admin Center with admin privileges
- Navigate to Reports â Usage
- For each product (Copilot, Project, Visio):
- Click on the product
- Go to the Usage tab
- Click Export
- Save the CSV file
â ď¸ Critical: Do NOT rename or modify the CSV files. ServiceNow expects the exact format and filename from Microsoft.
Upload to ServiceNow
- Navigate to Software Asset Management Workspace â License Operations â Direct Integration Profiles
- Select your Microsoft 365 integration profile
- Go to the Attachments section
- Upload all three CSV files
- Click Save
â ď¸ Multiple Tenants: If you have multiple M365 tenants, attach each CSV to the correct tenant's integration profile.
Processing
A daily scheduled job processes the attached files and imports usage data. After the job runs, verify data appears in License Operations â Software Usage.
đĄ Ongoing Process: Download and upload these reports regularly (e.g., monthly) to keep usage data current.
2.6 Configure Reclamation Rules
The Software Asset Management application automatically provides base system reclamation rules when you create an integration profile for Microsoft 365.
To view and configure these rules:
- Navigate to Software Asset â Reclamation â Reclamation Rules
- Filter by Publisher = Microsoft
You may see multiple rules for different optimization scenarios (low usage, downgrade, overlapping, consolidate).
Key Rule Parameters
| Parameter | What It Controls | Recommended Starting Value |
|---|---|---|
| Last activity threshold | Days since last activity before flagging | 90 days (conservative start) |
| Days before auto reclamation | Grace period after notification | 14 days |
| Include usage from discovery | Include SCCM/ACC data for Access, Publisher | Yes |
| User notification | Notify users before reclamation | Yes |
| Manager approval | Require manager sign-off | Organisation-dependent |
đĄ Tip: Start conservative with 90-day thresholds, then tighten to 60 days as you build confidence in the data accuracy.
2.7 Configure User Resolution Rules
Resolve or match the Microsoft 365 Admin Center user to the ServiceNow user (sys_user) to determine the right license compliance and provide correct optimization recommendations.
The User Principal Name (UPN) from M365 must match ServiceNow user records. If there are mismatches, configure user resolution rules to handle them.
â ď¸ Important: Sometimes licenses are assigned to non-human users such as shared email accounts. In these instances, you can skip the user resolution process as it isn't required.
2.8 Run Scheduled Jobs
The Microsoft 365 integration profile you created automatically gets subscription and usage information from the Microsoft 365 Admin Center on a scheduled basis. You can run these jobs on demand and verify they complete successfully.
Key Scheduled Jobs
| Job | Default Frequency | Purpose |
|---|---|---|
| SAM - Collect Microsoft 365 Usage | Daily | Collects usage data from Microsoft APIs |
| Import 365 usage | Weekly | Imports subscription and usage data |
| SAM - Create New Reclamation Candidates for Office 365 Integration | Weekly | Generates reclamation candidates |
Run Jobs Manually
- Navigate to System Definition â Scheduled Jobs
- Search for "365" or "Microsoft"
- Select the job you want to run
- Click Execute Now
- Wait for the job to complete and verify success
Verify Data Import
After jobs complete, check:
| What to Check | Where | What You Should See |
|---|---|---|
| User Subscriptions | License Operations â User Subscriptions | Subscriptions appearing (filter by your profile) |
| Software Usage | License Operations â Software Usage | Usage data appearing |
| Software Models | License Operations â Software Models | Models auto-created for Microsoft products |
2.9 Set Up Software Models and Entitlements
The Software Asset Management application integrates with the Microsoft 365 Admin Center to generate software models automatically based on assigned subscriptions. These models include suite components, downgrades, and lifecycle details to confirm compliance and optimize licensing.
For these automatically created software models, you need to add your entitlements.
Why Entitlements Matter
Entitlements serve two critical purposes:
1. Compliance: Entitlements record what you've purchased from Microsoft. SAM Pro compares your entitlements (licenses owned) against consumption from the M365 Admin Center (licenses used) to determine your compliance position â whether you're compliant, over-licensed, or under-licensed.
2. Savings Calculations: SAM Pro calculates potential and realised savings based on the unit prices in your entitlement records. Without unit prices on your entitlements, the Optimization and Savings dashboard won't show accurate cost data.
â ď¸ Important: Without entitlements, you cannot determine compliance or calculate savings. Creating accurate entitlements with unit prices is essential for the full value of M365 optimization.
Automatic Software Model Creation
When the M365 integration runs, SAM Pro automatically creates software models based on the subscriptions it discovers. You don't need to create Microsoft software models manually.
đĄ Tip: If you have previously set up entitlements using Publisher Part Number, the software models from that setup are used in this integration, avoiding the creation of duplicate models.
â ď¸ Important: Verify that no software models are created without Discovery Maps (DMAPs) and no entitlements are created without a Publisher Part Number (PPN) for a smoother implementation.
Creating Your M365 Entitlements
For each M365/O365 subscription type you've purchased, create an entitlement with:
| Field | What to Enter |
|---|---|
| Software Model | Select the appropriate M365/O365 model (e.g., Microsoft 365 Enterprise E5) |
| License Metric | Per Named User (not per device) |
| Quantity | Number of licenses purchased |
| Unit Price | Your agreement price per license (enables savings calculations) |
| Contract | Reference to your Microsoft EA or agreement |
| Publisher Part Number | From your Microsoft invoice |
| License Type | See table below |
License Types
Microsoft 365 offers various subscription types. Select the appropriate license type based on your scenario:
| Your Scenario | License Type to Use |
|---|---|
| New cloud subscription | Full USL |
| Migrating from on-prem with SA | From SA USL |
| Evaluating cloud while keeping perpetual | Add-on USL |
| Upgrading E3 to E5 | Step-up |
| Planning future capacity | Reserve |
Set Up Add-on, From SA, and Step-up Entitlements
Associate an Add-on license with a perpetual Office legacy license with active Software Assurance. This is used when you're evaluating cloud features while continuing to use your on-premises perpetual license.
From SA USL is used when transitioning from on-premises perpetual licenses with active Software Assurance to cloud subscriptions.
Step-up licenses are used when upgrading from a lower tier to a higher tier (e.g., E3 to E5), allowing you to pay only the price difference.
Set Up License Reservations
Create Reserve entitlements for Microsoft online services to add licenses to your existing Microsoft 365 subscriptions. This is used for capacity planning when you're ordering licenses ahead of your annual true-up.
Reserve entitlements track:
- Reservation quantity
- Expected activation date
- Associated subscription type
Entitlement Best Practices
1. Use Publisher Part Number (PPN)
If you set up entitlements using the Publisher Part Number from your Microsoft invoice, SAM Pro will reuse existing software models and prevent duplicates.
2. Match Entitlement to Subscription Level
| If You Purchased | Create Entitlement For |
|---|---|
| Microsoft 365 E3 | Microsoft 365 E3 (not Office 365 E3 separately) |
| Office 365 E5 | Office 365 E5 |
| Separate O365 E3 + EMS E3 + Windows E3 | Can create separately; SAM Pro handles the mapping |
3. Include Unit Prices
Without unit prices, SAM Pro can still identify optimization candidates but cannot calculate potential or realised savings. Enter your actual agreement pricing for accurate cost analysis.
4. Create Entitlements for Each Tier
If you have a mix of E3 and E5 licenses, create separate entitlements for each tier with their respective quantities and unit prices.
Troubleshooting Common Issues
| Symptom | Cause | Resolution |
|---|---|---|
| No subscriptions appearing | Missing permissions or consent | Verify Entra ID app permissions and admin consent status |
| Subscriptions but no usage data | Reports.Read.All not granted or job not run | Check permission; run the usage collection job |
| User names showing as anonymous | Concealed user setting enabled | Disable in M365 Admin Center â Settings â Reports |
| User mismatch (subscriptions not matching users) | UPN doesn't match ServiceNow user | Configure user resolution rules |
| No Power BI usage data | Power BI service principal not configured | Complete Step 2.2; wait 15 minutes for replication |
| Copilot/Visio/Project showing no usage | CSV not uploaded or job not run | Upload reports to integration profile; run daily job |
| Jobs failing after working previously | Client secret expired | Generate new secret in Entra ID; update integration profile |
| Duplicate software models | Entitlements created without PPN | Use Publisher Part Number when creating entitlements |
What's Next?
Your M365 integration is now configured, importing data, and your entitlements are set up for accurate savings calculations. In Part 2, we'll cover:
- Verifying your configuration
- Understanding your M365 data and optimization opportunities
- Acting on compliance and optimization recommendations
- Ongoing operations
Continue to: Part 2: Compliance, Optimization & Reclamation
Quick Reference: Video Playlist
| Topic | Video |
|---|---|
| Guided Setup Overview | Microsoft 365 Guided Setup |
| Register Entra ID App | Register a Microsoft Azure AD Application |
| Power BI Setup | Enable Service Principal Authentication for Power BI |
| Disable Anonymous Users | Configure Updates on Microsoft 365 Admin Center |
| Create Integration Profile | Create a Microsoft 365 Integration Profile |
| Copilot/Visio/Project Upload | Semi-Automated Import for Visio, Project and Copilot |
Questions?
Join us at SAM Office Hours â our monthly community call where you can ask questions directly to product experts. Check the Community Events calendar for the next session.
This is Part 1 of a 2-part series on M365 Optimization with SAM Pro.
