Configure Microsoft 365 Yammer for the Next Generation API Data Protection

To configure Microsoft 365 Yammer for the Next Generation API Data Protection, follow the instructions below.

Before configuring Microsoft 365 Yammer for the Next Generation API Data Protection, review the prerequisite.

• A global administrator account is required to grant access to Netskope.

  • Yammer integration relies on delegated permissions. During grant, Netskope requires a global administrator role. Post grant, this role can be downgraded to the Yammer administrator role. Netskope recommends to create a dedicated service account (with global/Yammer administrator role) exclusively for the Netskope integration. Revoking access to the Yammer administrator role will break the integration with Netskope. Creating a dedicated service account will ensure that the integration with Netskope will not break due to an exiting employee, and consequently a deactivation of the account.
  • The way permissions work in Azure/Office 365 is that Netskope requires an administrator to grant enough privileges for Netskope to perform specific actions. Note that the Netskope app does not receive global admin permissions. It only receives permissions for the scope Netskope requests.

• Make sure the Microsoft 365 account has Yammer admin access. Check your organizations’ Yammer page to make sure your account has Yammer admin access:

  1. Log in to https://www.yammer.com/<replace with your-domain-name>/admin/set_admins.

  2. On the left navigation, click Admins and under Current Admins, ensure that the account you logged in with is displayed in the list.

     

• You must turn on audit logging in Microsoft 365 admin center. To enable audit logging, follow the steps below:

  1. Log in to https://compliance.microsoft.com/.On the left navigation, click Audit.

     If auditing is not turned on for your organization, a banner is displayed prompting you to start recording user and admin activity.

     

  2. Click the Start recording user and admin activity banner.

     It may take up to 60 minutes for the change to take effect. After enabling, the first application event contents can take up to 12 hours to show up in Skope IT.

• If you have guest or external users in your SaaS environment belonging to domains considered internal, you must set the appropriate internal domains for Netskope to classify exposure accurately. To set up internal domains, follow this article.

To authorize Netskope to access your Microsoft 365 Yammer account, follow the steps below:

1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.

2. Under Apps, select Yammer and click Setup CASB API Instance.

   The Setup Instance window opens.

3. Under Administrator Email, enter the email address of the user who will receive an email notification when a policy violation or event triggers. This step is optional.

4. Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.

5. Click Grant Access.

   The Microsoft Login window opens.

6. Enter the global administrator username and password.

7. Keep Consent on behalf of your organization unchecked and Accept the permissions.

   

   Justification for Permissions Requested

   Permissions required by Netskope	Description	Purpose	Trade-off if not allowed
   Read activity data for your organization	Allows to retrieve information about user, administrator, system, and policy actions and events from Office 365 and Microsoft Entra activity logs via the Office 365 Management Activity API.	Allows Netskope to retrieve audit logs and events from Office 365 and Entra activity logs.	Cannot provide visibility via Skope IT application events and other UEBA capabilities.
   Sign you in and read your profile	Allows – users to sign-in to the application, – the application to read the profile of signed-in users, – the application to read basic company information of signed-in users.	Allows sign-in and to obtain information about signed-in users.	Required for sign-in workflows.
   Read all users’ basic profiles	Allows the application to read a basic set of profile properties of other users in your organization on your behalf. Basic profile includes display name, first and last name, email address and photo.	Allows Netskope to read user profile data in the configured Yammer instance.	Cannot obtain user profile information and affects subsequent user exposure computations.
   Read all groups	Allows the application to list groups, and read their properties and all group memberships on your behalf. Also allows the app to read calendar, conversations, files, and other group content for all groups you can access.	Allows Netskope to read, groups data in the configured Yammer instance.	Cannot obtain user/group-related information and affects subsequent inventory and exposure computations.
   Read and write to the Yammer platform (preview)	Read and write to the Yammer platform (preview).	Allow Netskope to retrieve Yammer-specific user & group data in the configured Yammer instance.	Required for: – sign-in workflows for validating the sign-in user is eligible for Yammer administrator. – Obtain user/group-related information for exposure computations.
   Read and write to the Yammer platform (preview)	Allows the application to access the Yammer platform on your behalf.	Allow Netskope to leverage Data Export API to collect user/group changes and chat messages from the configured Yammer instance.	Cannot perform content scan of outgoing chat messages in the instance.

   The Netskope CASB API app is installed in Microsoft Entra ID with additional permissions once you grant access to the Microsoft 365 Yammer app.

Refresh your browser, and you should see a green check icon next to the instance name.

Next, you can can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your Microsoft 365 Yammer account. For more information on the Inventory page, see Next Generation API Data Protection Inventory.

You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.

Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.