>
    Strata Copilot
    Onboard an Office 365 App to SSPM Using a Service Principal
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard an Office 365 App to SSPM
    5. Onboard an Office 365 App to SSPM Using a Service Principal
    Download PDF
    SaaS Security

    Onboard an Office 365 App to SSPM Using a Service Principal

    Table of Contents

    Onboard an Office 365 App to SSPM Using a Service Principal

    Connect an Office 365 instance to SSPM to detect posture risks.
    For SSPM to detect posture risks in your Office 365 instance, you must onboard your Office 365 instance to SSPM. Through the onboarding process, SSPM connects to a Microsoft API and, through the API, scans your Office 365 instance at regular intervals for misconfigured settings. If there are misconfigured settings, SSPM suggests a remediation action based on best practices.
    SSPM can get access to your Office 365 instance through a Microsoft Entra (formerly Azure) service principal, which represents a Microsoft Entra application that you create. You configure the application's permissions to give SSPM access to the API scopes that SSPM requires. You can limit SSPM's access to read-only scopes, which will enable SSPM to complete its scans. Or you can give SSPM additional access to enable SSPM to complete actions, such as automated remediation of misconfigured settings or user-access revocation to a third-party plugin. When you register this application, Microsoft Entra creates the associated service principle that SSPM will use to connect to the API.
    ItemDescription
    Tenant IDA globally unique identifier (GUID) for your Microsoft Entra tenant.
    Client IDSSPM will access a Microsoft API through a Microsoft Entra service principal that represents an application that you create. Microsoft Entra generates the client ID to uniquely identify the application and its associated service principal.
    Client SecretSSPM will access a Microsoft API through a Microsoft Entra service principal that represents an application that you create. Microsoft Entra generates the client Secret, which SSPM uses to authenticate to the service principal.
    To onboard your Office 365 instance, you complete the following actions:
    1. Log in to the administrator account that you will use to create your Microsoft Entra application and its associated service principal.
      Required Permissions: The administrator must be able to grant access to the API scopes required by SSPM. These scopes will differ depending on whether you want to grant SSPM read and write permissions, or if you want to grant SSPM read permissions only. In SSPM, the Office 365 onboarding screen lists the scopes that SSPM requires.
      After SSPM connects to your Office 365 instance, it will perform an initial scan of your instance, and will then run scans at regular intervals. For SSPM to run these scans, the service principal must remain available. If you delete the service account, the scans will fail and you will need to onboard Office 365 again.
      1. Open a web browser to the Microsoft Entra admin center.
      2. Log in to the administrator account.
    2. Create and register your Microsoft Entra application.
      1. From the left navigation pane in the Microsoft Entra admin center, select Enterprise applications.
      2. On the Enterprise applications page, select the action to create a New application.
      3. On the All applications page, select Create your own application.
      4. On the Create your own application flyout dialog, complete the following actions:
        1. Specify a name for the application.
        2. Select Register an application to integrate with Microsoft Entra ID (App you're developing).
        3. Create.
      5. On the Register an application window, complete the following actions:
        1. For supported account types, select Accounts in this organizational directory only.
        2. Register.
        Registering the application automatically creates its associated service principal.
    3. Configure API permissions for your application.
      Configure your application to enable access only to the scopes that SSPM requires. The API permissions that you will configure for your application depend on whether you want SSPM to have read-permissions only or read and write permissions.
      1. Identify the scopes that SSPM requires.
        In SSPM, the Office 365 onboarding screen lists the scopes that SSPM requires. To get the required scopes, you will begin the onboarding process in SSPM, but you will not complete the process.
        1. From the Add Application page in SSPM (Posture SecurityApplicationsAdd Application), click the Office 365 tile.
        2. On the Posture Security tab, Add New instance.
        3. Select the option for Service Principal.
          The onboarding page lists the API scopes that SSPM requires for read access and for read and write access. Copy the API scopes that you want to allow. You will add these permissions to your application.
          Don’t continue to the next step unless you have copied the permissions. Later, you will add these permissions to your application.
        4. Because you won't be completing the onboarding process until after you have finished configuring your application, Cancel Onboarding.
      2. From the left navigation pane in the Microsoft Entra admin center, select Enterprise applications.
      3. From the list of applications on the All applications page, open your application.
      4. From the details page for your application, select Permissions.
      5. On the Permissions page for your application, click the Application registration link, which will take you to the API permissions page for your application.
      6. On the API permissions page, Add a permission.
      7. On the Request API permissions flyout dialog, select Microsoft GraphApplication Permissions.
      8. Select each of the API scopes that you obtained from the Office 365 onboarding screen in SSPM and Add permissions.
      9. On the API permissions page, verify that all the scopes were added as application permissions.
        The scopes you added should all have a type of Application. Only the User.Read permission, which Microsoft Entra added automatically when you registered the application, will have a type of Delegated.
      10. On the API permissions page, select Grant admin consent for your organization.
    4. Copy the application credentials (client ID and client secret) for your application.
      1. Copy the client ID.
        1. From the details page for your application, select Overview.
        2. From the overview page, copy the client ID from the Application (client) ID field and paste it into a text file.
          Don’t continue to the next step unless you have copied the client ID. You will provide this information to SSPM during the onboarding process.
      2. Create and copy the client secret.
        1. From the details page for your application, select Certificates & secretsClient secrets.
        2. Create a New client secret.
        3. Copy the Value of the new client secret and paste it into a text file.
          Don’t continue to the next step unless you have copied the client secret. You will provide this information to SSPM during the onboarding process.
    5. Identify your tenant ID.
      1. From the left navigation pane in the Microsoft Entra admin center, select Home.
      2. Copy the tenant ID and paste it into a text file.
        Don’t continue to the next step unless you have copied your tenant ID. You will provide this information to SSPM during the onboarding process.
    6. Connect SSPM to your Office 365 instance.
      In SSPM, complete the following steps to enable SSPM to connect to your Office 365 instance.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the Office 365 tile.
      3. On the Posture Security tab, Add New instance.
      4. Select the option for Service Principal.
      5. Enter the application credentials (client ID and client secret) and your tenant ID.
      6. Depending on the API permissions that you configured for your application, specify whether you want SSPM to connect with Read Permissions only or with Read and Write Permissions.
      7. Connect.

    © 2026 Palo Alto Networks, Inc. All rights reserved.