Configure Microsoft 365 Instance for SaaS Security Posture Management

Configure Microsoft 365 Instance for SaaS Security Posture Management

When you configure Microsoft 365 app instance on the Netskope tenant, it bundles Microsoft Entra ID (formerly known as Azure AD), Exchange, and SharePoint apps along with it. In a nutshell, on configuring Microsoft 365 app, Netskope can scan through your Entra ID, Exchange, and SharePoint site for security posture management.

– Netskope requires a minimum set of Microsoft 365 licenses to scan through your Microsoft 365 environment. The following licenses are supported:
– Microsoft 365 A3, A5
– Microsoft 365 E3, E5
– Microsoft 365 F1, F3
– Netskope can support other Microsoft 365 licenses too as long as additional licenses are obtained for Microsoft Intune and Microsoft Entra ID P1 edition.
– Refer to the Microsoft 365 plan options for more information about the Microsoft 365 licenses.
– Refer to the Manage Microsoft 365 and Office article to understand what licenses you have.

The installation instructions describe how to integrate your Microsoft 365 account with Netskope. There are 4 broad procedures involved:

  • Step 1: Configure SharePoint Tenant to Allow Custom App Authentication
  • Step 2: Grant Access to Microsoft 365 Account
  • Step 3: Add Entra ID Roles
  • Step 4: Add SharePoint Admin Permissions for the SharePoint Client-side Object Model (CSOM) API

Step 1: Configure SharePoint Tenant to Allow Custom App Authentication

Follow this procedure on your Windows machine to configure SharePoint to enable custom app authentication. 

Points to note:

  • If your Microsoft 365 tenant was created on or after August 2020, custom app authentication on your SharePoint tenant needs to be enabled if this has not already been done. Follow the procedure below to enable custom app authentication.

  • Microsoft has by default disabled apps using an Azure Access Control (ACS) app-only access token. Hence, you need to enable custom app authentication explicitly.

  • This can be done by running set-SPOTenant -DisableCustomAppAuthentication $false.

You should skip this step to enable custom app authentication in Sharepoint if either of the conditions is true in your case:
1. Your Microsoft 365 account is created before August, 2020.
How to find the creation date of your Microsoft 365 tenant?
– Log in to the SharePoint admin center by visiting https://admin.microsoft.com.
– Navigate to All Admin centers > SharePoint.
– In the SharePoint admin center, navigate to Sites > Active sites and sort the sites by Date Created filter.
– The default / Root site is the oldest one. Check the date of the site that is the creation date of your Microsoft 365 tenant. If the date is before August 2020 you should skip this procedure.
2. You do not intend Netskope to evaluate custom and predefined rules related to the SharePoint tenant configuration data.
  1. Install the latest version of PowerShell on Windows. Follow the instructions here.
  2. Start PowerShell as an administrator on the Windows device, and run the following commands:
    1. Install-Module -Name Microsoft.Online.Sharepoint.PowerShell
    2. Import-Module Microsoft.Online.Sharepoint.PowerShell
    3. $adminUPN=“<the full email address of the global administrator account, example: admin@sumoskope.onmicrosoft.com>”

      Note

      Fill in the value for the $adminUPN variable (replacing all the text between the quotes, including the < and > characters).

    4. $orgName=“<name of your Microsoft 365 organization, example: sumoskope>”

      Note

      Fill in the value for the $orgName variable (replacing all the text between the quotes, including the < and > characters).

    5. $userCredential = Get-Credential -UserName $adminUPN -Message “<type the password>”

      Note

      When prompted with the Windows PowerShell credential request dialog box, type the password for the global administrator account.

    6. To check the value of DisableCustomAppAuthentication, run the following commands:
      1. Connect-SPOService -Url https://$orgName-admin.sharepoint.com
      2. Get-SPOTenant

        Look for the DisableCustomAppAuthentication parameter. It should be set to True.

        Note

        If you do not see the DisableCustomAppAuthentication parameter, execute the Install-Module -Name Microsoft.Online.Sharepoint.PowerShell -Force command and follow the steps from 2b.

    7. Run the following command to set the DisableCustomAppAuthentication value to false:
      1. Set-SPOTenant -DisableCustomAppAuthentication $false
    8. Verify that the parameter is set to false. To do so, run the following command:
      • Get-SPOTenant

        Look for the DisableCustomAppAuthentication parameter. It should be set to False.

Step 2: Grant Access to Microsoft 365 Account

To authorize Netskope to access your Microsoft 365 account, follow the steps below:

  1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Classic > SaaS.

  2. Select the Microsoft 365 icon, and then click Setup Instance.

  3. The Setup Instances window opens. Enter the following details:

    • For instance name, enter the fully qualified domain name (FQDN) of your Microsoft 365 account. Enter the default onmicrosoft.com domain assigned to your Microsoft 365 account. For example, if you sign in with admin@<domain>.onmicrosoft.com, specify <domain>.onmicrosoft.com in the app instance field.

      To find the default onmicrosoft.com domain of your Microsoft 365 account, follow the steps below:
      – Log in to https://admin.microsoft.com/.
      – On the left navigation bar, click … Show all, and then navigate to Settings > Domains.
      – Note down the FQDN of the Microsoft 365 account in the format <domain>.onmicrosoft.com.
    • Instance Type: Select the Security Posture checkbox. Select this option to allow Netskope to continuously scan through your SaaS app to identify and remediate risky SaaS app misconfigurations and align security posture with best practices and compliance standards. Also, you have the option to run the policy at intervals (15 minutes, 30 minutes, 45 minutes, and 60 minutes).

      “SpoSite” resource type in Microsoft365 appsuite will be fetched every 1 hour interval irrespective of the scan interval configured because this resource could be huge in number and Microsoft does not have a polling API support for this.
    • Click Save, then click Grant Access for the app instance you just created.

      Microsoft 365 tenants whose admin SharePoint site uses a custom domain instead of <tenant>-admin.sharepoint.com currently require manual configuration. Contact Netskope support for more information.
    • After clicking Grant Access, you will be prompted to log in with your global administrator username and password, and then Accept the permissions and click Close.

  4. Refresh your browser, and you should see a green check icon next to the instance name.

Important

If you have newly set up your Microsoft 365 account, it can take 2 to 4 days to generate the Microsoft Secure Score report for your Microsoft 365 account. SaaS Security Posture Management incorporates data from Microsoft Secure Score and therefore requires the secure score report to be generated. If you do not see any data populated in the Netskope UI dashboard (API Data Protection > Security Posture SaaS > COMPLIANCE), wait till the Microsoft Secure Score report is generated. You can view the completion of Microsoft Secure Score on your Azure portal under Entra ID Identity Secure Score.

Step 3: Add Entra ID Roles

Once you have granted access to the Microsoft 365 app, you should assign the Netskope application client ID to the Global Reader role. To do so, follow the steps below:

  1. Log in to portal.azure.com as a global administrator.

  2. Click View under Manage Microsoft Entra ID.

  3. On the left navigation, click Roles & administrators.

  4. Search for the role Global Reader, and click on the Global Reader role.

  5. Click + Add assignments then click on No Members Selected and then select members.

  6. In the search bar, enter the Netskope application client ID 2038fb3d-092b-4c35-9ae6-3f10adb04a6a. Select the Netskope Security Assessment app and click Add.

    A following warning is shown after selecting the app for active assignments. You do not have any action item for this warning. Refer to the Assign Eligibility document for more information.
  7. In the Setting tab, select Assignment Type as Active and enable the Permanently assigned option. Enter justification as “For Netskope SSPM” and click on Assign.

Step 4: Add SharePoint Admin Permissions for the SharePoint Client-side Object Model (CSOM) API

The following procedure allows Netskope Security Assessment app to access your SharePoint tenants’ configuration settings.

SharePoint requires the Netskope Security Assessment app to receive the ‘Full Control’ permission in order to read SharePoint tenant configuration data. Skipping this step will cause rules that check the SharePointTenant resource to fail since that data would not be possible to obtain.
If you have more than 40 thousand Sharepoint sites in your environment, then the listing of these Sharepoint sites will be done only once every 24 hours.
  1. Log in to https://<tenant_name>-admin.sharepoint.com/_layouts/15/appinv.aspx. Replace the <tenant-name> with your company’s SharePoint domain name. For example, if your SharePoint admin page URL is https://sumoskope-admin.sharepoint.com/, enter https://sumoskope-admin.sharepoint.com/_layouts/15/appinv.aspx. The following page opens:
    App_Lookup_Page.png
  2. Under App Id, enter 2038fb3d-092b-4c35-9ae6-3f10adb04a6a and click Lookup. The page gets populated with the following information:
    SSPM_O365_App__Lookup__Page-_Populated.png
  3. Under App Domain, enter netskope.com.

    Keep the Redirect URL field empty.

  4. Under Permission Request XML, enter the following XML code:
    <AppPermissionRequests
    AllowAppOnlyPolicy="true"><AppPermissionRequest
    Scope="http://sharepoint/content/tenant"
    Right="FullControl" /></AppPermissionRequests>
  5. Click Create.
  6. On the next page, review the permissions and click Trust It.
    SSPM_netskope__com-_Trust.png

This will create the app permissions necessary for the Netskope Security Assessment app to access the SharePoint CSOM APIs.

Next, you should configure a security posture policy. To do so, see SaaS Security Posture Management Policy Wizard.

Share this Doc

Configure Microsoft 365 Instance for SaaS Security Posture Management

Or copy link

In this topic ...