Begin Scanning a Microsoft Exchange App

Use Prisma SaaS to scan and identify incidents found when scanning assets and email attachments in your MS Exchange app.
To connect a Microsoft Exchange app to Prisma SaaS and begin scanning assets, you need to:
  • Ensure that you have a Microsoft Exchange or Office 365 account with Global Admin role.
  • Grant Exchange API access to Prisma SaaS.
  • Add the Exchange app to Prisma SaaS.
As of July 2020, the Exchange integration on Prisma SaaS is now updated to optimize the permissions required for cloud app features. To revoke unnecessary permissions that you granted previously and that Prisma SaaS no longer needs, reauthenticate the Exchange app.
For information on which automated remediation capabilities Prisma SaaS supports with Google Drive, refer to Supported Applications with Remediation.

Add Exchange App

In order for Prisma SaaS to scan assets, you must consent to the following permissions during the course of adding the Exchange app:
Microsoft Graph API
Read all users' basic profiles
Retrieves basic user information such as display name, email address, and userId to display user information on
page in Prisma SaaS.
Read all users' full profiles
Allows Prisma SaaS to make a
API call. Prisma SaaS uses this permission for both Graph API and Outlook Legacy Rest API.
Additionally, allows Prisma SaaS to retrieve detailed user information (For example, user principle name (UPN), job title, office location, phone number, etc), but Prisma SaaS discards all this information with the exception of UPN, which Prisma SaaS needs to retrieve user mailbox settings.
Read all user mailbox settings
Retrieves each user's mailbox settings (For example, retention policy settings, email forward settings, public folder access settings, and delegate rules settings), and then determines if there is any security risk in those settings.
Read mail in all mailboxes
Retrieves and scan the user's email.
Read all hidden memberships
Not currently used, but Prisma SaaS plans to use this permission to detect memberships of hidden groups.
Read all groups
Not currently used, but Prisma SaaS plans to use this permission to scan group properties and detect the members in the group.
Read calendars in all mailboxes
Allows Prisma SaaS to access attachments in calendar events.
Use Exchange Web Services with full access to all mailboxes
Retrieves each user's mailbox settings (For example, inbox rules and eDiscovery search configuration), and then determines if there is any security risk in those settings. Prisma SaaS plans to use this permission to determine if the user owns any public folders.
Read directory data
Allows Prisma SaaS to retrieve and scan for a list of users and groups. Prisma SaaS uses this permission for both Azure AD Legacy API and Graph API.
Read activity data for your organization
Allows Prisma SaaS to read and log activity data to display activity data on
page in Prisma SaaS.
  1. (
    ) Add your Exchange domain as an internal domain.
  2. Log in to Microsoft Exchange or Office 365 using an account with privileges that will enable communication between Prisma SaaS and the Microsoft Exchange app.
    Before you can establish communication between Prisma SaaS and the Exchange app, you must:
    • Go to and log out of Exchange or Office 365.
    • Log in to Exchange or Office 365 using an account that has the Global Admin role prior to adding the Exchange app to Prisma SaaS.
  3. Add the Exchange app.
    1. Log in to Prisma SaaS.
    2. Select
      Add a Cloud App
    3. Select
      Microsoft Exchange
    4. Enter the login credentials for the account with Global Admin role privileges on the Microsoft Online page to which Prisma SaaS redirects you.
    5. Review and
      the changes that Prisma SaaS can perform on your assets in Exchange.
      Prisma SaaS requires these permissions to scan your assets on Exchange app.
      After authentication, Prisma SaaS adds the new Exchange app to the list of Cloud Apps as Microsoft Exchange
      is the number of Exchange app instances that you have connected to Prisma SaaS. For example, if you added one Exchange app, the name displays as
      Exchange 1
  4. Next Step
    : Proceed to Customize Exchange App.

Customize Exchange App

  1. (
    ) Give a descriptive name to this app instance.
    1. Select the Exchange 
      link on the Cloud Apps list.
    2. Enter a descriptive
      to differentiate this instance of Exchange from other instances you are managing.
    3. Click
      to save your changes.
  2. Next Step
    : Proceed to Identify Risks.

Identify Risks

When you add a new cloud app and enable scanning, Prisma SaaS automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
  1. Start scanning the new Exchange app for risks.
    All email attachments in Exchange are scanned based on defined policies. Email content is scanned based on defined policies only if the sender or receiver of the email is from an external domain. Scanning only starts on installation, and assets without risks are not stored.
  2. During the discovery phase, Prisma SaaS scans files and matches them against enabled default policy rules.
    Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, improve the results.
  3. (
    ) Modify match criteria for existing policy rules.
  4. (
    ) Add new policy rules.
    Consider the business use of your cloud app, then identify risks unique to your enterprise. As necessary, add new:
  5. (
    ) Configure or edit a data pattern.
    You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.

Recommended For You