Onboarding Microsoft 365
- 28 Feb 2024
- 1 Minute to read
- Print
- PDF
Onboarding Microsoft 365
- Updated on 28 Feb 2024
- 1 Minute to read
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Onboarding Microsoft 365
Architecture
The image below depicts the deployment architecture.
Roles and Permissions
Below is a list of the roles Prisma Cloud DSPM uses to access your environment and the permissions they have. Permissions are used to access different types of data, or perform actions such as creating/deleting virtual machines (VMs), exporting snapshots, etc.
IMPORTANT
If your Microsoft 365 account has any firewall or network restrictions in place, it is imperative to grant access to the following Prisma Cloud DSPM IP addresses: 52.48.123.3, 99.80.210.235, 34.247.249.123
| Permissions | ||
| Prisma Cloud DSPM (External) | User.Read.All (Graph) | Identify guest users (future risks) |
| Group.Read.All (Graph) | Identify the groups containing guest users (future risks) | |
| Directory.Read.All (Graph) | Retrieve domain information | |
| Application.Read.All (Graph) | Identify application permissions (future risks) | |
| Sites.Read.All (Graph) | Discover all sites | |
| Sites.Read.All (SharePoint API) | Get site configurations | |
| Sites.Manage.All (SharePoint API) | Get site’s external sharing configuration | |
| Files.Read.All (Graph) | Read metadata on files including MIP labels | |
| SharePointTenantSettings.Read.All (Graph) | Read org-level config for External Sharing | |
| InformationProtectionPolicy.Read.All (Graph) | Read MIP labels policies | |
| Customer (Internal) | Files.Read.All (Graph) | Classification |
| Sites.Read.All (Graph) | Classification | |
| Content.SuperUser (RMS) | Read RMS encrypted files (future) | |
Prerequisites
- Prisma Cloud DSPM Orchestrator must be deployed in the same Azure tenant where the Microsoft 365 domain is hosted.
- The user running the script must have the Application.ReadWrite.All permission.
Onboarding Steps
- Sign in to your Prisma Cloud DSPM account.
- From the left menu, select Settings.
- Under Integrations, go to the Microsoft 365 option, and click Configure.
- Click Add New.
- In the Microsoft 365 Connect New Subscription window, do the following:
- Enter the required details.
- Select the orchestrator and the region
- Choose the environment type)
- Grant approval for the enterprise application. Ensure that you are signed in to the tenant associated with the Microsoft 365 instance you wish to onboard. This tenant should also correspond to the one in which the Orchestrator was deployed.
- The Approval screen opens in a new tab. Follow the provided steps until you reach the Success screen.
- In Prisma Cloud DSPM, choose the Enable option (step 3).
- Copy the provided PowerShell script and execute it in the Azure PowerShell console.
- Wait until the script successfully completes, and return to Prisma Cloud DSPM.
Was this article helpful?