Configure Microsoft OneDrive as the Cloud Provider

1. Register a new app in Azure.

   1. Sign in to the Azure Portal.
   2. Go to Azure Active Directory → App registrations → + New registration.
   3. Enter a descriptive name (for example, Prisma Access Browser Cloud Storage for M365)
   4. Choose Single tenant (Accounts in this organizational directory only).
   5. Under Redirect URI, select Single-page application (SPA) and use this URI: https://gdhaibkimkeghllnpodfpoamchapggea.chromiumapp.org/
   6. Click Register.
2. Add Permissions to the New App.

   1. Open the new app → App permissions → + Add a permission.
   2. Choose Microsoft Graph.
   3. Add the following Application permissions:

      • Application.Read.All
      • DelegatedPermissionGrant.Read.All
   4. Click +Add a permission → Microsoft Graph → Delegated permissions.
   5. Add the following permission:

      • Files.ReadWrite.All
   6. Click Grant admin consent for <your tenant name> Click Yes in the consent confirmation pop-up.

      User.Read permission (delegated) is added by default by the application. DO NOT REMOVE THIS PERMISSION.

   WHY ARE THESE PERMISSIONS NEEDED?

   Prisma Access Browser requires specific permissions. These are the minimum necessary to ensure proper connection and to manage file downloads to your organization's cloud storage. This least-privilege approach minimizes security risks by only requesting access essential for its operation.

   Permission Type	Permission Name	Reason
   Delegated	User.Read	Confirms that the user connected to the browser is the same user that is connected to Microsoft.
   Delegated	Files.ReadWrite.All	Saving files to the user's OneDrive on their behalf.
   Application	Application.Read.All DelegatedPermissionGrant.Read.All	Verifies the integration configured by the Microsoft admin.

   Admins always consent to application permissions. In contrast, end users consent to delegated permissions. Granting admin consent for delegated permissions is required. It prevents users from mistakenly denying permissions, which would block them from downloading and saving files to OneDrive when a Security policy is triggered.

   Verifying the onboarding status of the integration is critical. Improper configuration will prevent Prisma Access Browser from saving files to OneDrive. This will block end users from downloading and saving files when their download action matches a policy rule.
3. Generate Client Secret.

   1. Go to Certificates & Secrets → New client secret.
   2. In the Add a client secret tab, do the following:

      1. Enter a description for the secret, for example - Microsoft secret 01. (this field is optional.
      2. In the Expires field, select 730 days (24 months).
   3. Click Add.
   4. Copy the value of the new client secret. You will need it for the next step when you connect the cloud storage to the Prisma Access Browser. We recommend that you save it in a safe place.
4. Connect to the Prisma Access Browser.

   1. Go to the Prisma Access Browser admin console and select Integrations.
   2. Select Cloud Storage.
   3. Click on either +add provider or Connect your first provider.
   4. Select the provider - Microsoft.
   5. Insert a descriptive Storage name for the connection, for example - Microsoft Cloud Storage.
   6. Paste the Client secret that you generated in the previous step.
   7. Enter the Application (client) ID and the Directory (tenant) ID from the Application Overview in the Azure Portal.
   8. Click Test provider connection to verify the connection with Azure.
   9. Once the test is successful, click Add Provider.
5. Create the Save to Cloud Rule

   1. Open the Access & Data Control rules and create a new rule.
   2. At the Data Control step, select File Download.
   3. Select Save to organization storage and choose the provider that you configured in the previous step.
   4. Add any additional details, and click Set.

Known Limitations and Requirements