>
    Strata Copilot
    Onboard a Microsoft Outlook App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard a Microsoft Outlook App to SSPM
    Download PDF
    SaaS Security

    Onboard a Microsoft Outlook App to SSPM

    Table of Contents

    Onboard a Microsoft Outlook App to SSPM

    Connect a Microsoft Outlook instance to SSPM to detect posture risks.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    Previously, you could onboard Microsoft Outlook by supplying account credentials to SSPM. This enabled SSPM to access the account directly or through the Okta or Microsoft Azure identity providers. Once connected, SSPM would use data extraction techniques to scan your Microsoft Outlook instance. In March 2026, we discontinued this earlier connector in favor of a new connector that accesses Microsoft APIs through a service principal.
    This new connector, described below, leverages the deep integration between Microsoft Outlook and Microsoft Exchange to scan both of these product instances. A separate connector for Microsoft Exchange that used data extraction for scans was also discontinued in March 2026. You now onboard Microsoft Exchange by using this new Microsoft Outlook connector.
    If you already connected SSPM to your Microsoft Outlook instance using the earlier connector, your established connection will continue to work. Similarly, if you already connected SSPM to your Microsoft Exchange instance, that established connection will continue to work. However, if there is any change to the configuration information that you provided to SSPM (such as an updated login password), you will need to onboard the Microsoft Outlook instance again by using the new connector described below. Note that there is no longer a separate connector for Microsoft Exchange.
    For SSPM to detect posture risks in your Microsoft Outlook instance, you must onboard your Microsoft Outlook instance to SSPM. Through the onboarding process, SSPM connects to the Microsoft Graph and Office 365 Exchange Online APIs and, through these APIs, scans your Microsoft Outlook instance at regular intervals.
    Microsoft Outlook and Microsoft Exchange share the same core technology within the Microsoft 365 ecosystem. Because of this deep integration, onboarding Microsoft Outlook also onboards Microsoft Exchange. SSPM will scan both Microsoft Outlook and Microsoft Exchange for potential misconfigurations.
    SSPM gets access to your Microsoft Outlook instance through a service principal, which represents a Microsoft Entra application that you create. You will configure this application's permissions to enable SSPM to access only the API scopes that SSPM requires to complete its scans. When you register this application, Microsoft Entra creates the associated service principle that SSPM will use to connect to the Microsoft APIs.
    The supported Microsoft account plan for SSPM scans is the Microsoft Business Premium plan.
    To access your Microsoft Outlook instance, SSPM requires the following information, which you will specify during the onboarding process.
    ItemDescription
    Tenant IDA globally unique identifier (GUID) for your Microsoft Entra tenant.
    Client IDSSPM will access Microsoft APIs through a Microsoft Entra service principal that represents an application that you create. Microsoft Entra generates the client ID to uniquely identify the application and its associated service principal.
    Client SecretSSPM will access Microsoft APIs through a Microsoft Entra service principal that represents an application that you create. Microsoft Entra generates the client secret, which SSPM uses to authenticate to the service principal.
    To onboard your Microsoft Outlook instance, you complete the following actions:
    1. Open a web browser to the Microsoft Entra admin center and log in as Global Administrator.
      Required Permissions: To create the Microsoft Entra application and its associated service principal, and to assign that service principal to the Global Reader role, you must use an account that is assigned to the Global Administrator role.
    2. Create and register your Microsoft Entra application.
      1. From the left navigation pane in the Microsoft Entra admin center, select App registrations.
      2. On the App registrations page, select the action to create a New registration.
      3. On the Register an Application page, complete the following actions:
        1. Specify a name for the application.
        2. Select Accounts in this organizational directory only.
        3. Register.
          Microsoft Entra registers your application and displays the details page for your application. Registering the application automatically creates its associated service principal.
    3. Copy the tenant ID and application credentials (client ID and client secret) for your application.
      1. Copy the tenant ID and client ID.
        1. From the details page for your application, select Overview.
        2. From the overview page, copy the client ID from the Application (client) ID field and paste it into a text file.
        3. From the overview page, copy the tenant ID from the Directory (tenant) ID field and paste it into a text file.
        Don’t continue to the next step unless you have copied the client ID and tenant ID. You will provide this information to SSPM during the onboarding process.
      2. Create and copy the client secret.
        1. From the details page for your application, select Certificates & secretsClient secrets.
        2. Select New client secret.
        3. In the Add a client secret flyout dialog, specify an expiration date for the client secret and Add the client secret.
        4. Copy the Value of the new client secret and paste it into a text file.
          Don’t continue to the next step unless you have copied the client secret. You will provide this information to SSPM during the onboarding process.
    4. Configure API permissions for your application.
      Configure your application to enable access only to the Microsoft Graph and Office 365 Exchange Online API scopes that SSPM requires. SSPM requires the following permissions:
      APIPermission TypePermission
      Microsoft APIs Microsoft GraphApplication permissionsDirectory.Read.All
      Microsoft APIs Microsoft GraphApplication permissionsPolicy.Read.All
      APIs my organization uses Office 365 Exchange OnlineApplication permissionsExchange.ManageAsApp
      To add these permissions, complete the following steps.
      1. From the details page for your application, select API permissions.
      2. Add the Microsoft Graph permissions.
        1. On the API permissions page, select the action to Add a permission.
        2. On the Microsoft APIs tab of the Request API permissions dialog, select Microsoft Graph.
          The Microsoft Graph page prompts you to select the type of permissions your application requires.
        3. Select Application permissions.
        4. Select the following API scopes and Add permissions.
          • Directory.Read.All
          • Policy.Read.All
      3. Add an Office 365 Exchange Online permission.
        1. On the API permissions page, select the action to Add a permission.
        2. On the APIs my organization uses tab of the Request API permissions dialog, select Office 365 Exchange Online.
          The Office 365 Exchange Online page prompts you to select the type of permissions your application requires.
        3. Select Application permissions.
        4. Select the following API scope and Add permissions.
          • Exchange.ManageAsApp
      4. On the API permissions page, verify that all the scopes were added as application permissions.
      5. On the API permissions page, select Grant admin consent for your organization.
    5. Assign your Microsoft Entra application to the Global Reader role.
      1. From the left navigation pane in the Microsoft Entra admin center, select IdentityRoles & adminsRoles & admins.
      2. On the Roles and administrators page, make sure the All roles tab is selected.
      3. From the list of administrative roles, locate the Global Reader role.
        To quickly locate the Global Reader role, you can use the search field to filter the list.
      4. After you locate the Global Reader role in the list, click its name to view the Assignments page for the Global Reader role. Don't select the check box next to the role.
        The Assignments page lists all the identities currently assigned to that role.
      5. Click + Add assignments.
      6. On the Add assignments page, locate your service principal.
        To locate the service principal, paste its client ID into the search field.
      7. Select the check box next to the service principal and Add it to the Global Reader role.
    6. Connect SSPM to your Microsoft Entra ID instance.
      In SSPM, complete the following steps to enable SSPM to connect to your Microsoft Outlook instance.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the Microsoft Outlook tile.
      3. On the Posture Security tab, Add New instance.
      4. Log in with Credentials.
      5. Enter the application credentials (client ID and client secret) and your tenant ID.
      6. Connect.

    © 2026 Palo Alto Networks, Inc. All rights reserved.