Netskope Help

Configure Microsoft 365 Instance for Security Posture

Note

Netskope requires a minimum set of Microsoft 365 licenses to scan through your Microsoft 365 environment. They following licenses are supported:

  • Microsoft 365 A3, A5

  • Microsoft 365 E3, E5

  • Microsoft 365 F1, F3

Netskope can support other Microsoft 365 licenses too as long as additional licenses are obtained for Microsoft Intune and Azure Active Directory Premium P1 edition.

The installation instruction describes how to integrate your Microsoft 365 account with Netskope. There are 4 broad procedures involved:

  • Step 1: Configure SharePoint Tenant to Allow Custom App Authentication

  • Step 2: Grant Access to Microsoft 365 Account

  • Step 3: Add Azure AD Roles

  • Step 4: Add SharePoint Admin Permissions for the SharePoint Client-side Object Model (CSOM) API

Step 1: Configure SharePoint Tenant to Allow Custom App Authentication

Note

You can skip this step if either of the conditions is true:

  • your Microsoft 365 account was created before August, 2020.

    To find the creation date of your Microsoft 365 tenant, log in to the SharePoint admin center by visiting https://admin.microsoft.com. Then, navigate to Admin centers > SharePoint. Within the SharePoint admin center, navigate to Sites > Active sites and sort the sites by Date Created. Then, identify the default (root) site. The date of the the default (root) site is the creation date of your Microsoft 365 tenant.

  • you do not intend Netskope to evaluate custom and predefined rules related to the SharePoint tenant configuration data.

If your Microsoft 365 tenant was created on or after August 2020, custom app authentication on your SharePoint tenant needs to be enabled if this has not already been done. Microsoft has recently disabled apps using an Azure Access Control (ACS) app-only access token by default. If so, follow the steps below to enable custom app authentication.

You can change the behavior by running set-SPOTenant -DisableCustomAppAuthentication $false (needs the latest SharePoint admin PowerShell). To do so, follow the steps below:

Note

The following steps are performed on a Windows device.

  1. Install the latest version of PowerShell on Windows. Follow the instructions here.

  2. Start PowerShell as an administrator on the Windows device, and run the following commands:

    1. Install-Module -Name Microsoft.Online.Sharepoint.PowerShell

    2. $adminUPN="<the full email address of the global administrator account, example: admin@sumoskope.onmicrosoft.com>"

      Note

      Fill in the value for the $adminUPN variable (replacing all the text between the quotes, including the < and > characters).

    3. $orgName="<name of your Microsoft 365 organization, example: sumoskope>"

      Note

      Fill in the value for the $orgName variable (replacing all the text between the quotes, including the < and > characters).

    4. $userCredential = Get-Credential -UserName $adminUPN -Message "<type the password>"

      Note

      When prompted with the Windows PowerShell credential request dialog box, type the password for the global administrator account.

    5. To check the value of DisableCustomAppAuthentication, run the following commands:

      1. Connect-SPOService -Url https://$orgName-admin.sharepoint.com

      2. Get-SPOTenant

        Look for the DisableCustomAppAuthentication parameter. It should be set to True.

        Note

        If you do not see the DisableCustomAppAuthentication parameter, execute the Install-Module -Name Microsoft.Online.Sharepoint.PowerShell -Force command and follow the steps from 2b.

    6. Run the following command to set the DisableCustomAppAuthentication value to false:

      1. Set-SPOTenant -DisableCustomAppAuthentication $false

    7. Verify that the parameter is set to false. To do so, run the following command:

      • Get-SPOTenant

        Look for the DisableCustomAppAuthentication parameter. It should be set to False.

Step 2: Grant Access to Microsoft 365 Account

To authorize Netskope to access your Microsoft 365 account, follow the steps below:

  1. Log in to the Netskope tenant UI: https://<tenant hostname>.goskope.com and go to Settings > API-enabled Protection > SaaS.

  2. Select the Microsoft 365 icon, and then click Setup Instance.

  3. The Setup Instances window opens. Enter the following details:

    1. For instance name, enter the fully qualified domain name (FQDN) of your Microsoft 365 account. For example, if you use https://domain.sharepoint.com to login, then specify domain.sharepoint.com as the FQDN in the app instance field.

      Note

      To find the FQDN of your Microsoft 365 account, log in to your Microsoft 365 account and then:

      1. Click the launch icon.

      2. Click the SharePoint app.

      3. Copy the FQDN text (remove the "https://" and the path after the FQDN text "/")

        O365_SP_FQDN.png
    2. Instance Type: Select the Security Posture checkbox. Select this option to allow Netskope to continuously scan through your SaaS app to identify and remediate risky SaaS app misconfigurations and align security posture with best practices and compliance standards.

      Also, you have the option to run the policy at intervals (15 minutes, 30 minutes, 45 minutes, and 60 minutes).

    3. Click Save, then click Grant Access for the app instance you just created.

      After clicking Grant Access, you will be prompted to log in with your global administrator username and password, and then Accept the permissions and click Close.

      SSPM_O365_Beta_App_Permissions.png

      The Netskope Security Assessment app is installed in Azure AD with additional permissions once you grant the Microsoft 365 app. Going forward, the Microsoft 365 app instance will utilize the new Graph APIs from Microsoft. To know more about the permissions, see Permissions Required for Microsoft 365.

  4. Refresh your browser, and you should see a green check icon next to the instance name.

Important

If you have newly set up your Microsoft 365 account, it can take 2 to 4 days to generate the Microsoft Secure Score report for your Microsoft 365 account. Netskope SSPM incorporates data from Microsoft Secure Score and therefore requires the secure score report to be generated. If you do not see any data populated in the Netskope UI dashboard (API Data Protection > COMPLIANCE > Security Posture), wait till the Microsoft Secure Score report is generated. You can view the completion of Microsoft Secure Score on your Azure portal under Azure AD Identity Secure Score.

Step 3: Add Azure AD Roles

Once you have granted access to Microsoft 365 app, you should assign the Netskope application client ID to the Global Reader role. To do so, follow the steps below:

  1. Log in to portal.azure.com as a global administrator.

  2. Click View under Manage Azure Active Directory.

  3. On the left navigation, click Roles & administrators.

  4. Search for the role Global Reader, and click on the Global Reader role.

  5. Click + Add assignments.

  6. In the search bar, enter the Netskope application client ID 2038fb3d-092b-4c35-9ae6-3f10adb04a6a. Select the Netskope Security Assessment app and click Add.

Step 4: Add SharePoint Admin Permissions for the SharePoint Client-side Object Model (CSOM) API

The following procedure allows Netskope Security Assessment app to access your SharePoint tenants' configuration settings.

Note

SharePoint requires the Netskope Security Assessment app to receive the 'Full Control' permission in order to read SharePoint tenant configuration data. Skipping this step will cause rules that check the SharePointTenant resource to fail since that data would not be possible to obtain. A full list of default rules that check the SharePointTenant resource can be found in Office 365 Predefined Rules.

  1. Log in to https://<tenant_name>-admin.sharepoint.com/_layouts/15/appinv.aspx. Replace the <tenant-name> with your company's SharePoint domain name. For example, if your SharePoint admin page URL is https://sumoskope-admin.sharepoint.com/, enter https://sumoskope-admin.sharepoint.com/_layouts/15/appinv.aspx. The following page opens:

    App_Lookup_Page.png
  2. Under App Id, enter 2038fb3d-092b-4c35-9ae6-3f10adb04a6a and click Lookup. The page gets populated with the following information:

    SSPM_O365_App__Lookup__Page-_Populated.png
  3. Under App Domain, enter netskope.com.

  4. Under Permission Request XML, enter the following XML code:

    <AppPermissionRequests
    AllowAppOnlyPolicy="true"><AppPermissionRequest
    Scope="http://sharepoint/content/tenant"
    Right="FullControl" /></AppPermissionRequests>
  5. Click Create.

  6. On the next page, review the permissions and click Trust It.

    SSPM_netskope__com-_Trust.png

This will create the app permissions necessary for the Netskope Security Assessment app to access the SharePoint CSOM APIs.

Next, you should configure a security posture policy. To do so, see Security Posture Policy Wizard.