: Onboard Office 365 Productivity Apps to SSPM
Focus
Focus

Onboard Office 365 Productivity Apps to SSPM

Table of Contents

Onboard Office 365 Productivity Apps to SSPM

Connect Office 365 productivity app instances to SSPM to detect posture risks.
To detect posture risks in your Office 365 productivity apps (Microsoft Word, Microsoft PowerPoint, and Microsoft Excel), SSPM connects to the productivity apps by using information that you provide. Once SSPM connects, it scans the Office 365 productivity apps for misconfigured settings and will continue to run scans at regular intervals.
There are two ways to onboard the Office 365 productivity apps, depending on how you want SSPM to scan your Office 365 productivity apps. Review the following information about these two methods of scanning to decide which one you want SSPM to use. Before you onboard the Office 365 productivity apps to SSPM, there are certain actions you must take and certain information you must gather. These actions will differ depending on the method you choose.
  • You can onboard a Microsoft OneDrive App for scans that use the Microsoft Graph API. To enable SSPM to access the Microsoft Graph API, you create a client application in Azure Active Directory (AD) with the necessary permissions, and allow access to the application to users in your organization. During onboarding, you will supply SSPM with Microsoft credentials for a user in the organization with the necessary permissions. You will also supply the Client ID of the Azure AD application. SSPM uses this information in a PowerShell call to connect to the Microsoft Graph API. The account that you use for onboarding cannot require MFA.
    This approach uses a published API.
  • You can onboard a Microsoft OneDrive App for scans that use data extraction (also known as web scraping). To perform this data extraction, SSPM logs in to Microsoft by using an administrator account. You can have SSPM access the account directly or through the Okta or Microsoft Azure identity providers. If SSPM will be logging in to the administrator account directly, then the account cannot be configured for MFA. If SSPM will be accessing the account through Okta or Microsoft Azure, then MFA is required. During onboarding, you will provide SSPM with the administrator credentials. If SSPM will connect to the account through an identity provider, you will also specify the information that SSPM needs for MFA.
    This data-extraction approach scans more settings compared to the Microsoft Graph API approach.