Configure Microsoft 365 Instance for SaaS Security Posture Management
Configure Microsoft 365 Instance for SaaS Security Posture Management
When you configure Microsoft 365 app instance on the Netskope tenant, it bundles Microsoft Entra ID (formerly known as Azure AD), Exchange, and SharePoint apps along with it. In a nutshell, on configuring Microsoft 365 app, Netskope can scan through your Entra ID, Exchange, and SharePoint site for security posture management.
– Microsoft 365 A3, A5
– Microsoft 365 E3, E5
– Microsoft 365 F1, F3
– Netskope can support other Microsoft 365 licenses too as long as additional licenses are obtained for Microsoft Intune and Microsoft Entra ID P1 edition.
– Refer to the Microsoft 365 plan options for more information about the Microsoft 365 licenses.
– Refer to the Manage Microsoft 365 and Office article to understand what licenses you have.
Follow the procedure to integrate your Microsoft 365 account with Netskope.
Step 1: Grant Access to Microsoft 365 Account
To authorize Netskope to access your Microsoft 365 account, follow the steps below:
-
Log in to the Netskope tenant UI and go to Settings > Configure App Access > Classic > SaaS.
-
Select the Microsoft 365 icon, and then click Setup Instance.
-
The Setup Instances window opens. Enter the following details:
-
For instance name, enter the fully qualified domain name (FQDN) of your Microsoft 365 account. Enter the default onmicrosoft.com domain assigned to your Microsoft 365 account. For example, if you sign in with admin@<domain>.onmicrosoft.com, specify <domain>.onmicrosoft.com in the app instance field.
To find the default onmicrosoft.com domain of your Microsoft 365 account, follow the steps below:
– Log in to https://admin.microsoft.com/.
– On the left navigation bar, click … Show all, and then navigate to Settings > Domains.
– Note down the FQDN of the Microsoft 365 account in the format <domain>.onmicrosoft.com. -
Instance Type: Select the Security Posture checkbox. Select this option to allow Netskope to continuously scan through your SaaS app to identify and remediate risky SaaS app misconfigurations and align security posture with best practices and compliance standards. Also, you have the option to run the policy at intervals (15 minutes, 30 minutes, 45 minutes, and 60 minutes).
“SpoSite” resource type in Microsoft365 appsuite will be fetched every 1 hour interval irrespective of the scan interval configured because this resource could be huge in number and Microsoft does not have a polling API support for this. -
Click Save, then click Grant Access for the app instance you just created.
Microsoft 365 tenants whose admin SharePoint site uses a custom domain instead of <tenant>-admin.sharepoint.com currently require manual configuration. Contact Netskope support for more information. -
After clicking Grant Access, you will be prompted to log in with your global administrator username and password, and then Accept the permissions and click Close.
-
-
Refresh your browser, and you should see a green check icon next to the instance name.
Important
If you have newly set up your Microsoft 365 account, it can take 2 to 4 days to generate the Microsoft Secure Score report for your Microsoft 365 account. SaaS Security Posture Management incorporates data from Microsoft Secure Score and therefore requires the secure score report to be generated. If you do not see any data populated in the Netskope UI dashboard (API Data Protection > Security Posture SaaS > COMPLIANCE), wait till the Microsoft Secure Score report is generated. You can view the completion of Microsoft Secure Score on your Azure portal under Entra ID Identity Secure Score.
Step 2: Add Entra ID Roles
Once you have granted access to the Microsoft 365 app, you should assign the Netskope application client ID to the Global Reader role. To do so, follow the steps below:
-
Log in to portal.azure.com as a global administrator.
-
Click View under Manage Microsoft Entra ID.
-
On the left navigation, click Roles & administrators.
-
Search for the role Global Reader, and click on the Global Reader role.
-
Click + Add assignments then click on No Members Selected and then select members.
-
In the search bar, enter the Netskope application client ID 2038fb3d-092b-4c35-9ae6-3f10adb04a6a. Select the Netskope Security Assessment app and click Add.
A following warning is shown after selecting the app for active assignments. You do not have any action item for this warning. Refer to the Assign Eligibility document for more information. -
In the Setting tab, select Assignment Type as Active and enable the Permanently assigned option. Enter justification as “For Netskope SSPM” and click on Assign.
Next, you should configure a security posture policy. To do so, see SaaS Security Posture Management Policy Wizard.