SSPM Administration
  • SSPM Administration
  • SaaS Security Documentation
  • All Documentation
>
Onboard an Office 365 App to SSPM
Focus
Download PDF
Focus
  1. Home
  2. SaaS Security
  3. Onboard SaaS Apps Supported by SSPM
  4. Onboard an Office 365 App to SSPM
Download PDF
SaaS Security

Onboard an Office 365 App to SSPM

Table of Contents

Onboard an Office 365 App to SSPM

Connect an Office 365 instance to SSPM to detect posture risks.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • SaaS Security Posture Management license
Or any of the following licenses that include the Data Security license:
  • CASB-X
  • CASB-PA
For SSPM to detect posture risks in your Office 365 instance, you must onboard your Office 365 instance to SSPM. Through the onboarding process, SSPM connects to a Microsoft API and, through the API, scans your Office 365 instance at regular intervals. You can onboard an Office 365 app by using OAuth 2.0 authorization or by using a Microsoft Entra (formerly Azure) service principal, which represents a Microsoft Entra application that you create.
If you onboard Office 365 by using OAuth 2.0, SSPM redirects you to log in to Office 365 to grant SSPM access to the API scopes that it requires. You have the option to connect with read-only permissions or with read and write permissions. The account that you use to connect SSPM to your Office 365 instance must be assigned to the Global Administrator role.
To onboard Office 365 by using a Microsoft Entra service principal, you create a Microsoft Entra application. When you register this application, Microsoft Entra creates the associated service principle that SSPM will use to connect to the API. You can connect SSPM to your Office 365 instance with read-only permissions or with read and write permissions. The administrator who creates the service principal must be able to grant access to the API scopes required by SSPM. These scopes will differ depending on whether you want to grant SSPM read and write permissions, or if you want to grant SSPM read permissions only. In SSPM, the Office 365 onboarding screen lists the scopes that SSPM requires.

Onboard an Office 365 App to SSPM Using OAuth 2.0

Connect an Office 365 instance to SSPM to detect posture risks.
For SSPM to detect posture risks in your Office 365 instance, you must onboard your Office 365 instance to SSPM. Through the onboarding process, SSPM connects to a Microsoft API and, through the API, scans your Office 365 instance at regular intervals for misconfigured settings. If there are misconfigured settings, SSPM suggests a remediation action based on best practices.
Connecting to Office 365 enables SSPM to scan settings at a high level based on Microsoft's Secure Score. For greater visibility into a particular application in the Office 365 product family, onboard the individual product app. By adding an individual product app, you enable SSPM to scan more settings for the particular product. To scan more settings for Microsoft Word, Microsoft PowerPoint, and Microsoft Excel, onboard Office 365 - Productivity Apps. Other products in the Office 365 product family have their own tiles on the Applications page, and you can onboard these apps separately.
SSPM gets access to your Office 365 instance through OAuth 2.0 authorization. During the onboarding process, you are prompted to log in to Office 365 and to grant SSPM the access it requires.
To onboard your Office 365 instance, you complete the following actions:
  1. Identify the account for granting SSPM access.
    During the onboarding process, SSPM redirects you to log in to Office 365. After you log in, Office 365 will prompt you to grant SSPM the access it needs to your Office 365 instance.
    1. Identify the Office 365 account that you will use to log in to Office 365 during onboarding.
      SSPM will use this account to establish a connection to your Office 365 instance. After SSPM establishes the connection, it will perform an initial configuration scan of your Office 365 instance, and will then run scans at regular intervals.
      When you onboard Office 365, SSPM gives you an option to connect with read-only permissions or with read and write permissions. The onboarding screen lists the API scopes that SSPM requires for each type of scan that it can run. The onboarding screen also lists the API scopes that SSPM requires to perform certain actions on your behalf. For example, if SSPM is granted permission to certain scopes, you can revoke a user's access to a third-party plugin through SSPM. After establishing a connection, SSPM will notify you if it is unable to run certain scans, or complete certain actions, because the account did not have the permissions to grant access to certain scopes.
      Onboarding Office 365 with read-only permissions will enable SSPM to perform configuration scans, risky account scans, and third-party plugin scans.
      Connecting with read and write permissions enables additional SSPM features, including the following features:
      • The ability to revoke a user's access to a third-party plugin.
      • Scans for MFA enrollment issues, which SSPM reports on the Identity Security dashboard.
      • Scans for user sign-in activities, which SSPM displays on the Identity Security dashboard.
      • The ability to force a user out of their current SaaS application sessions from the Identity Security dashboard.
      Required Permissions: To grant SSPM access to either the read-only scopes only or access to read and write scopes, the account must be assigned to the Global Administrator role.
    2. Log out of all Microsoft accounts.
      Logging out of all Microsoft accounts helps ensure that you log in under the correct account during the onboarding process. Some browsers can automatically log you in by using saved credentials. To ensure that the browser does not automatically log you in to the wrong account, you can turn off any automatic log-in option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening the Cloud Management Console in an incognito window.
  2. Connect SSPM to your Office 365 instance.
    By adding an Office 365 app in SSPM, you enable SSPM to connect to your Office 365 instance. You must consent to specific permissions when adding the Office 365 app.
    1. From the Add Application page (Posture SecurityApplicationsAdd Application), click the Office 365 tile.
    2. On the Posture Security tab, Add New instance.
    3. Specify whether you want SSPM to connect with Read Permissions only or with Read and Write permissions.
      The onboarding page lists the API scopes that SSPM will access to complete basic scans and to perform advanced scans and actions.
    4. Connect with Office 365
      SSPM redirects you to the Office 365 login page.
    5. Enter the credentials for the Microsoft account that you identified earlier, and sign in to Office 365.
      Microsoft displays a consent form that details the access permissions that SSPM requires.
    6. Review the consent form and allow the requested permissions.
      SSPM connects to your Office 365 instance, and displays whether it was able to access the API scopes that it requires for its scans and other actions. If SSPM is unable to access necessary scopes, it indicates which scans and actions it will not be able to perform.

Onboard an Office 365 App to SSPM Using a Service Principal

Connect an Office 365 instance to SSPM to detect posture risks.
For SSPM to detect posture risks in your Office 365 instance, you must onboard your Office 365 instance to SSPM. Through the onboarding process, SSPM connects to a Microsoft API and, through the API, scans your Office 365 instance at regular intervals for misconfigured settings. If there are misconfigured settings, SSPM suggests a remediation action based on best practices.
SSPM can get access to your Office 365 instance through a Microsoft Entra (formerly Azure) service principal, which represents a Microsoft Entra application that you create. You configure the application's permissions to give SSPM access to the API scopes that SSPM requires. You can limit SSPM's access to read-only scopes, which will enable SSPM to complete its scans. Or you can give SSPM additional access to enable SSPM to complete actions, such as automated remediation of misconfigured settings or user-access revocation to a third-party plugin. When you register this application, Microsoft Entra creates the associated service principle that SSPM will use to connect to the API.
ItemDescription
Tenant IDA globally unique identifier (GUID) for your Microsoft Entra tenant.
Client IDSSPM will access a Microsoft API through a Microsoft Entra service principal that represents an application that you create. Microsoft Entra generates the client ID to uniquely identify the application and its associated service principal.
Client SecretSSPM will access a Microsoft API through a Microsoft Entra service principal that represents an application that you create. Microsoft Entra generates the client Secret, which SSPM uses to authenticate to the service principal.
To onboard your Office 365 instance, you complete the following actions:
  1. Log in to the administrator account that you will use to create your Microsoft Entra application and its associated service principal.
    Required Permissions: The administrator must be able to grant access to the API scopes required by SSPM. These scopes will differ depending on whether you want to grant SSPM read and write permissions, or if you want to grant SSPM read permissions only. In SSPM, the Office 365 onboarding screen lists the scopes that SSPM requires.
    After SSPM connects to your Office 365 instance, it will perform an initial scan of your instance, and will then run scans at regular intervals. For SSPM to run these scans, the service principal must remain available. If you delete the service account, the scans will fail and you will need to onboard Office 365 again.
    1. Open a web browser to the Microsoft Entra admin center.
    2. Log in to the administrator account.
  2. Create and register your Microsoft Entra application.
    1. From the left navigation pane in the Microsoft Entra admin center, select Enterprise applications.
    2. On the Enterprise applications page, select the action to create a New application.
    3. On the All applications page, select Create your own application.
    4. On the Create your own application flyout dialog, complete the following actions:
      1. Specify a name for the application.
      2. Select Register an application to integrate with Microsoft Entra ID (App you're developing).
      3. Create.
    5. On the Register an application window, complete the following actions:
      1. For supported account types, select Accounts in this organizational directory only.
      2. Register.
      Registering the application automatically creates its associated service principal.
  3. Configure API permissions for your application.
    Configure your application to enable access only to the scopes that SSPM requires. The API permissions that you will configure for your application depend on whether you want SSPM to have read-permissions only or read and write permissions.
    1. Identify the scopes that SSPM requires.
      In SSPM, the Office 365 onboarding screen lists the scopes that SSPM requires. To get the required scopes, you will begin the onboarding process in SSPM, but you will not complete the process.
      1. From the Add Application page in SSPM (Posture SecurityApplicationsAdd Application), click the Office 365 tile.
      2. On the Posture Security tab, Add New instance.
      3. Select the option for Service Principal.
        The onboarding page lists the API scopes that SSPM requires for read access and for read and write access. Copy the API scopes that you want to allow. You will add these permissions to your application.
        Don’t continue to the next step unless you have copied the permissions. Later, you will add these permissions to your application.
      4. Because you won't be completing the onboarding process until after you have finished configuring your application, Cancel Onboarding.
    2. From the left navigation pane in the Microsoft Entra admin center, select Enterprise applications.
    3. From the list of applications on the All applications page, open your application.
    4. From the details page for your application, select Permissions.
    5. On the Permissions page for your application, click the Application registration link, which will take you to the API permissions page for your application.
    6. On the API permissions page, Add a permission.
    7. On the Request API permissions flyout dialog, select Microsoft GraphApplication Permissions.
    8. Select each of the API scopes that you obtained from the Office 365 onboarding screen in SSPM and Add permissions.
    9. On the API permissions page, verify that all the scopes were added as application permissions.
      The scopes you added should all have a type of Application. Only the User.Read permission, which Microsoft Entra added automatically when you registered the application, will have a type of Delegated.
    10. On the API permissions page, select Grant admin consent for your organization.
  4. Copy the application credentials (client ID and client secret) for your application.
    1. Copy the client ID.
      1. From the details page for your application, select Overview.
      2. From the overview page, copy the client ID from the Application (client) ID field and paste it into a text file.
        Don’t continue to the next step unless you have copied the client ID. You will provide this information to SSPM during the onboarding process.
    2. Create and copy the client secret.
      1. From the details page for your application, select Certificates & secretsClient secrets.
      2. Create a New client secret.
      3. Copy the Value of the new client secret and paste it into a text file.
        Don’t continue to the next step unless you have copied the client secret. You will provide this information to SSPM during the onboarding process.
  5. Identify your tenant ID.
    1. From the left navigation pane in the Microsoft Entra admin center, select Home.
    2. Copy the tenant ID and paste it into a text file.
      Don’t continue to the next step unless you have copied your tenant ID. You will provide this information to SSPM during the onboarding process.
  6. Connect SSPM to your Office 365 instance.
    In SSPM, complete the following steps to enable SSPM to connect to your Office 365 instance.
    1. From the Add Application page (Posture SecurityApplicationsAdd Application), click the Office 365 tile.
    2. On the Posture Security tab, Add New instance.
    3. Select the option for Service Principal.
    4. Enter the application credentials (client ID and client secret) and your tenant ID.
    5. Depending on the API permissions that you configured for your application, specify whether you want SSPM to connect with Read Permissions only or with Read and Write Permissions.
    6. Connect.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.