SaaS Agent Security
Onboard M365 Copilot to SaaS Agent Security
Table of Contents
Onboard M365 Copilot to SaaS Agent Security
Onboard M365 Copilot to SaaS Agent Security to gain deep visibility and
security for your M365 Copilot platform and apps.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the SaaS Agent Security license:
|
Microsoft 365 Copilot is an AI-powered assistant integrated into Word, Excel,
PowerPoint, Outlook, Teams, and other Microsoft 365 apps, using Large Language
Models (LLMs) and your organization's data to help with tasks like drafting content,
analyzing data, summarizing meetings, and generating ideas, all while respecting
security and privacy. It acts as a "copilot" by streamlining workflows, boosting
creativity, and increasing productivity by turning natural language prompts into
actions and insights within your familiar work environment. Onboard M365 Copilot to
SaaS Agent Security to gain deep visibility and security for your M365
Copilot platform and apps.
Prerequisites
- To access M365 Copilot and start building custom agents, your organization must have a Microsoft 365 Copilot license. If you would like to explore these capabilities, coordinate with your IT Administrator or Microsoft Sales representative to ensure the proper licensing is in place. M365 Copilot is a Microsoft-native product, not a feature developed or managed by Palo Alto Networks.
- To manage Microsoft 365 Copilot agents and settings, your account must be assigned a specific administrative role. You can verify your current access level by viewing the agent list. While a Global Administrator has full control over the entire organization, Microsoft recommends using the AI Administrator role. This is a dedicated persona designed specifically for managing Copilot features and agent governance without granting unnecessary access to other parts of your system. If you only need to monitor the environment, the Global Reader role provides "view-only" access, allowing you to see agent status and availability without the ability to make changes or upload new packages. Consult your internal IT team to ensure one of these roles is assigned to your account and you list agents via the URL mentioned above.
To access your M365 Copilot instance, SaaS Agent Security requires the
following Azure information, which you will specify during the onboarding
process.
| Item | Description |
|---|---|
| Azure Email | An Azure email address refers to an email address used with Azure Communication Services (ACS), a cloud service that allows applications to send and receive emails |
| Azure Password | An Azure password is a credential for a user to access resources within an Azure environment, managed by Azure Active Directory (now Microsoft Entra ID) |
| Azure 2FA Secret | An Azure TOTP secret is a shared secret key that is used to generate Time-based One-Time Passwords (TOTP) for multi-factor authentication (MFA). This key, often a Base32-encoded string, is generated by Azure and shared between the Azure service and the user's authenticator app (like Microsoft Authenticator). Both the service and the app use this secret, along with the current time, to independently and securely generate the same six-digit code that changes every 30 seconds. |
- To start onboarding M365 Copilot to SaaS Agent Security, log in to Strata Cloud Manager.Select .
![]()
Ensure you have completed all the three steps mentioned in the following onboarding wizard and then Get Started.![]()
On the Authorization Method Selection page, the CREDENTIALS method is selected by default. Click Next.The CREDENTIALS method uses data extraction to fetch the agent activity details from your SaaS application tenant.![]()
Click Azure to select the SSO provider.![]()
Enter the following information in the SSO Provider details page and Complete:- Email address
- Password
- Azure 2FA secret (if you did not set up a 2FA secret in your Azure account, enter any random text to complete the step).
![]()
Specify a custom name for your M365 Copilot instance if needed and click Done.![]()
SaaS Agent Security establishes the connection and validates the credentials and permissions. After the validation is successful, you will see the following confirmation message.![]()
SaaS Agent Security immediately begins to scan your onboarded agentic platform after a successful validation.The amount of time SaaS Agent Security takes to scan varies based on the amount of data it is required to scan. At a minimum, it takes at least one hour to scan and display data in the SaaS Agent Security dashboard.
