Onboarding Devices in the Microsoft 365 Apps Admin Center
*Updates added on 7/12/2022
The Microsoft 365 Apps admin center provides several cloud-based features to help you manage the Microsoft 365 Apps in your organization. Features such as Inventory, Security Update Status and Servicing Profiles deliver powerful insights about your Microsoft 365 apps, while helping to ensure they remain up-to-date and secure. If you are not familiar with the Microsoft 365 Apps admin center and the features mentioned above, take a few minutes to review the Roadmap to modern management for Microsoft 365 Apps. Additionally, check out the guided simulations for each of these features available here: Microsoft 365 Apps Management and Health Services.
In this blog post, we're going to take a closer look at how devices onboard to our inventory service within the Microsoft 365 Apps admin center. Successful onboarding is a prerequisite for reporting and update management. Once devices have completed onboarding, they will appear in inventory and their update compliance information will populate on the Security Update Status page. You will also have access to target these devices with a Servicing Profile to ensure they are on the correct update channel and receiving updates consistently with minimal effort.
Note: There are other features in the portal that operate independently from Inventory, Security Update Status and Servicing Profiles. We will not be covering these features in detail in this post but be aware that they do have their own requirements for device onboarding. For example, OneDrive Sync health requires you to setup a Tenant Association Key and Apps Health requires you to enable diagnostic data.
Breaking Down the Onboarding Process
Unlike other management tools, device onboarding with inventory does not require you to deploy any additional software or settings to devices. Instead, devices onboard automatically through a process referred to as auto provisioning. The following flowchart describes this process in more detail:
- Inventory is not enabled by default. An admin must first sign-in to the Microsoft 365 Apps admin center, select Inventory, and click Get started to begin the provisioning process. This is a one-time action and can take 15-20 minutes before the Insights dashboard is displayed.
- Devices must meet the documented minimum requirements for inventory before they can onboard with the service. If they do not meet these requirements, auto provisioning will fail and retry later.
- Inventory is populated by active devices. An active device is defined by the following criteria:
- Supported version of Microsoft 365 Apps installed.
- Connectivity to the config.office.com service.
- Licensed user signed in.
- Office app usage.
- If items 1-3 pass, the auto provisioning process will complete successfully.
- The Tenant Association Key (TAK) for your tenant is retrieved and stored locally on the device.
- New Component Object Model (COM) objects are registered on the device – 1 for policy and 1 for inventory.
- Office app inventory is collected and uploaded to the portal for review.
Assuming all steps are successful, a device will typically appear in inventory within 60 seconds of an Office app being launched. In some cases, it may be necessary for an Office app to be launched more than once to initiate the onboarding sequence for the first time. This isn’t generally an issue in production, but it is worth noting for lab environments where testing is being done.
Note: After you have enabled inventory for your tenant, keep in mind that all data is being retrieved for the first time. The number of devices reporting in will increase with user activity. Expect to see a large increase in numbers over the first 24 hours, and then tapering down as time goes on. Enabling inventory prior to a weekend or holiday may impact initial onboarding time.
Step 1 - Enabling the inventory feature
The process for enabling inventory for your tenant is simple. If the feature has not been enabled, you will be presented with the Welcome page shown above. Once an admin clicks on Get started, the listed features will be provisioned for your tenant. This action only needs to be completed once.
Step 2 – Review the requirements for using inventory
Devices must meet a few basic requirements before the auto provisioning process can successfully complete onboarding. For the latest list of requirements, visit: Requirements for using inventory. Be sure that you have reviewed these items and taken the appropriate actions for your organization.
Step 3 – Monitor onboarding activity
You can monitor onboarding progress for your tenant by visiting the Inventory Insights page in the Microsoft 365 Apps admin center (shown below). As devices report in, the total under Data Insights will increase. Click on Show all devices to see a complete list of all devices that have onboarded.
From the detailed device list, you can apply sort and filter operations by clicking on the column headers. In the following example we have a filter applied to show devices that have checked in on or after Patch Tuesday. You also have the option to export these results to a CSV file. The export function will include records based on the applied filters. If no filters are applied, all records will be exported.
Troubleshooting Onboarding and Inventory
Below are some of the most common troubleshooting scenarios that we hear about regarding device onboarding with the inventory service, along with recommendations for remediation. Before you move on, always start by reviewing the requirements for using inventory. We find that in most cases devices fail the onboarding process simply because they do not meet the minimum requirements.
- Inventory is enabled but I am missing devices
- If inventory was recently enabled (< 24 hours) and you are seeing a steady growth in numbers, give the service another 1-2 days and monitor.
- Comparing device numbers in inventory with other tools can be a helpful way to track onboarding progress and overall coverage. However, keep these variables in mind:
- Stale inventory records in the Microsoft 365 Apps admin center are dropped after 30 days by default. Tools like Configuration Manager have a default value of 90 days.
- Devices that are in use and active on your network will not appear in inventory unless the Office apps are installed and being used regularly.
- Unmanaged / personally owned devices will appear in inventory and may not be enrolled in your other management tools.
- Microsoft 365 Apps with a version prior to 2008 are not supported with inventory.
- Non-subscription versions of Microsoft 365 Apps are not supported with inventory.
- Microsoft 365 Apps configured for viewer mode are not supported with inventory due to these apps being unlicensed.
- Devices are failing to onboard because they are unable to retrieve the Tenant Association Key (TAK).
- TAK retrieval failures are often due to devices not meeting the inventory requirements.
- To confirm if the TAK has been retrieved, query the following registry key by opening a PowerShell prompt and entering the following command:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officesvcmanager"
The return output should have your TenantAssociationKey. If the value is not present, try signing out of your Office apps, closing Office completely, starting Word, and then running the command again.
If the TenantAssociationKey is still not present, please open a support case or use the feedback button to let us know.
- Devices are disappearing from Inventory
- Devices that have not communicated with the inventory service in 30 days (default) will be removed. Keep in mind that the device may still be on and in-use by the user, but there has not been any Office app usage. To remediate, ensure the Office apps are being used on the device.
- *Unhealthy COM+ status
- COM+ is leveraged on local devices to orchestrate communication with the cloud service. If devices are failing to onboard with Inventory or go missing unexpectedly, confirm that COM+ is in a healthy state.
- Open Component Services (dcomcnfg).
- Expand Component Services > Computers > My Computer > COM+ Applications > OfficeSvcManagerAddons and select Components.
- At a minimum, you should find the following registered com objects:
- InventoryObject.Object.1
- PolicyObject.Object.1
- If the OfficeSvcManagerAddons COM+ Application is missing:
- Refer to the bullet above to remediate: Inventory is enabled but I am missing devices.
- If you receive an error in the Component Services console:
- Update the device drivers on the device. This is one of the most common causes for COM+ to fail.
- Confirm that COM+ is enabled in the registry by running the following query:
- COM+ is leveraged on local devices to orchestrate communication with the cloud service. If devices are failing to onboard with Inventory or go missing unexpectedly, confirm that COM+ is in a healthy state.
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3"
The return output should include Com+Enabled REG_DWORD 0x1. If the value is missing or not = 1, ensure the value is present and set to 1. For any updates made, reboot the device to apply the changes.
Frequently Asked Questions
Q: What permissions do I need to enable inventory for my tenant?
A: For more information on supported security roles, visit: Overview of the Microsoft 365 Apps admin center > How to get to the admin center.
Q: What information is collected when enabling inventory?
A: For more information on what data is sent to Microsoft for the inventory feature, visit: Data sent to Microsoft for the inventory feature in the Microsoft 365 Apps admin center.
Q: How long is inventory kept?
A: By default, device records are kept in inventory for 30 days. This can be extended up to 180 days by navigating to Settings > Inventory clean up. Devices send a heartbeat to the inventory service once a day. If a heartbeat has not been received in the defined range, the record will be removed. If the device comes back online and sends a heartbeat, the device will be re-added to inventory.
Q: Why do I see personally owned devices in inventory?
A: Inventory and the other features in the Microsoft 365 Apps admin center are designed to give you a complete picture of the Office apps connected to your tenant, regardless of device management state and domain membership. If a user signs into Office with an Org ID from your tenant, you can expect to see them listed in inventory.
Q: What is the Tenant Association Key?
A: The Tenant Association Key (TAK) is a JSON web token generated for your tenant and is listed in the Microsoft 365 Apps admin center under Settings. The TAK can be decoded using a JSON debugger, and in doing so will output your tenant ID and a unique app ID. The TAK is used to associate devices with your tenant. During onboarding, the TAK is retrieved through the auto provisioning process and stored locally on the device. The TAK will remain on the device as long as the Office apps continue to send a heartbeat to the management service. If Office app use stops for 14 days or more, the TAK is automatically removed for security, but will be retrieved again the next time Office runs.
Q: What does “Generate new key” do?
A: The Generate new key function is an option in the Microsoft 365 Apps admin center. This option can be accessed by navigating to Settings > Tenant Association Key. By default, your tenant will already have a TAK and any devices that have onboarded with the inventory service will be associated with that value. If you believe that your TAK has been compromised (e.g.: suspicious devices showing in inventory) or have a need to generate a new key (e.g.: directed through a support case), selecting this option will generate a new value. It is important to understand that in doing so, all communication to existing devices will temporarily be lost until the new key has been associated with those devices. Take caution and plan accordingly.
*Additional Resources
Share Your Feedback with Us
We value your feedback! As you navigate the Microsoft 365 Apps admin center and work with these features, share your thoughts with us by clicking on the feedback button in the upper-right corner. Send us a smile, a frown, or share a suggestion. The feedback you submit goes directly to our engineering team.
Continue the conversation by joining us in the Microsoft 365 Tech Community! Whether you have product questions or just want to stay informed with the latest updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected!
Published on:
Learn moreRelated posts
Engage the Copilot in Viva Engage!
Did you know that you can use Copilot in Viva Engage to create more engaging posts, and get personalized suggestions how to improve your post?...
Retirement of the SharePoint SendEmail API
Retirement of the SharePoint SendEmail API from SharePoint Online - impacting both REST and CSOM API surfaces. The post Retirement of the Shar...
Microsoft Teams: Automatic location updates with building details for BYOD rooms and bookable desks
Microsoft Teams is set to roll out automatic location updates with building details for bookable desks and BYOD (bring your own device) rooms....
Microsoft 365: Create full-workload backup policies for Microsoft 365 Backup
Microsoft 365 Backup just got easier with the new feature. With this update, it is possible to automatically backup all Exchange or OneDrive u...
Microsoft 365: Multi-admin change notifications for Microsoft 365 Backup
This post highlights a new feature for Microsoft 365 Backup that allows a set of pre-defined administrators to receive email notifications for...
Microsoft 365: Perform granular file-level restore using Microsoft 365 Backup
The Microsoft 365 Backup now offers an enhanced feature that allows users to perform file-level restore at a granular level. Users can search ...
Microsoft Teams: Town halls now available in GCC-High
If you're a part of a GCC-High organization, Microsoft Teams now offers a new way for you to conduct large-scale events with ease: town halls....
Microsoft Teams: Town halls in GCC-High (Premium)
Microsoft Teams has introduced town hall capabilities for large-scale events across an organization with GCC-High premium features. This allow...
Microsoft 365: Create Dynamic rule-based backup policies for Microsoft 365 Backup
Microsoft 365 brings forth an innovative solution to streamline backup policies by offering rule-based policies that adapt to dynamic membersh...
Microsoft 365: Dedicated Backup Administrator Role for Microsoft 365 Backup
Microsoft 365 now has a dedicated Backup Administrator role specifically designed to manage administration tasks related to M365 Backup. This ...