Begin Scanning Microsoft Office 365 Apps

Learn how to connect Microsoft Office 365 apps to Prisma SaaS to begin scanning for security violations.
To connect Microsoft Office 365 to Prisma SaaS and begin scanning files and folders on OneDrive and SharePoint, you need to:
  • Ensure that you have an Office 365 account with Global Administrator role permissions.
  • Grant Prisma SaaS access to Office 365.
  • Add the Office 365 app to Prisma SaaS, providing Prisma SaaS information about your Office 365 account.
For information on which automated remediation capabilities Prisma SaaS supports with Office 365, refer to Supported Applications with Remediation.

Add Office 365 App

In order for Prisma SaaS to scan assets, you must consent to specific permissions during the course of adding the Office 365 app. Without the requested permissions, Prisma SaaS cannot authenticate (OAuth2) with Office 365 and cannot scan assets, even after you successfully install the Office 365 app.
If you forget to consent to permissions, you can correct the misconfiguration, but it’s more efficient to avoid the issue.
  1. (
    Recommended
    ) Add your Office 365 app domain as an internal domain.
  2. Log in to Office 365 using an account with Global Admin role permissions.
    Before you add Office 365 app to Prisma SaaS, you must properly establish communication between Prisma SaaS and the Microsoft Office 365 SharePoint app and OneDrive app.
    1. Go to http://portal.microsoftonline.com and log out of Office 365 to ensure that you are not logged in as a user other than an account with Global Admin role permissions.
      office365-log-out.png
    2. Log in again to Office 365 using an account that has the Global Admin role permissions.
      office365-login-global-admin.png
  3. Add the Office 365 app.
    1. From the Prisma SaaS
      Dashboard
      , click
      Add a Cloud App
      .
    2. Select
      Office 365
      .
      microsoft-office-365-tile-frame.png
    3. Select one of the following:
      • Connect to Office 365 Account
      • Using a custom configuration?
      If you have a dedicated Office 365 account, select
      Using a custom configuration?
      and provide the URL for OneDrive and SharePoint that are part of your custom configuration.
    4. Enter the login credentials for the account with Global Admin role privileges on the Microsoft Online page to which Prisma SaaS redirects you.
    5. Review and
      Accept
      the
      Consent on behalf of your organization
      permissions requested.
      Prisma SaaS requires these permissions to scan your assets on Office 365.
      office365-consent-permissions.png
      After authentication, Prisma SaaS adds the new Office 365 app to the Cloud Apps list as
      Office365
       
      n
      , where
      n
      is the number of Office 365 app instances that you connected to Prisma SaaS. For example, if you added one Office365 app, the name displays as
      Office365 1
      . You’ll specify a descriptive name soon.
  4. (
    Optional
    ) Choose the user groups whose assets and accounts you want to monitor.
    The ability to scan assets based on user groups is known as
    selective scanning
    . By default, selective scanning is not enabled. If you have not already done so, instruct Prisma SaaS to retrieve your Azure AD group information, then return to this step to choose the user groups.
    1. Navigate to
      Settings
      >
      Cloud Apps & Scan Settings
      .
    2. Select
      Enable selective scanning
      and choose the groups you want to include or exclude from scanning from the list of groups.
      add-selective-scanning-groups-to-o365.png
    3. Select
      Save
      to continue.
    Prisma SaaS discovers metadata on all sites within SharePoint, however, it only scans or excludes from scan the assets (files and folders) that belong to users who are members of the groups you have selected in your selective scanning configuration.
    If a group is edited or removed from selective scanning, it can take up to 7 days to remove assets or activities, and close any related incidents. Adding a group back to selective scanning will record new user activities but not old, previously removed user activities.
  5. (
    Optional
    ) Give a descriptive name to this app instance.
    1. Select the Office365 
      n
      link on the Cloud Apps list.
    2. Enter a descriptive
      Name
      to differentiate this instance of Office 365 from other instances you are managing.
    3. Click
      Done
      to save your changes.
  6. Start scanning the new Microsoft Office 365 app for risks.
    1. Select
      Settings
      Cloud Apps & Scan Settings
      .
    2. In the Cloud Apps row that corresponds to the new Office 365 app, select
      Actions
      Start Scanning
      .
  7. During the discovery phase, as Prisma SaaS scans files and matches them against enabled policy rules:
    • Verify that Prisma SaaS displays assets. If none display, fix the misconfiguration.
    • Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, improve your results.

Identify Risks

When you add a new cloud app, Prisma SaaS automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
  1. (
    Optional
    ) Modify match criteria for existing policy rules.
  2. (
    Optional
    ) Add new policy rules.
    Consider the business use of your cloud app, then identify risks unique to your enterprise. As necessary, add new:
  3. (
    Optional
    ) Configure or edit a data pattern.
    You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.

Fix Office 365 Misconfigurations

The most common issues related to misconfigurations are as follows:
Symptom
Explanation
Solution
After you add the Office 365 app, no scanned assets display for Office 365.
Prisma SaaS doesn’t have permissions to access Office 365.
office365-access-denied.png
You forgot to grant the necessary permissions, so you must do so now via the Azure Portal.
  • Grant Prisma SaaS access to Office 365 using Azure Portal.
    Without permissions, Prisma SaaS cannot authenticate (OAuth2) with Office 365 and cannot scan assets, even after you successfully install the Office 365 app.
    1. Log in to Azure Portal at https://portal.azure.com as Global Administrator.
    2. Navigate to
      Enterprise applications
      All applications
      .
      office365-azureportal-apps.png
    3. Select
      Aperture by Palo Alto Networks
      Security
      Permissions
      .
    4. Click
      Grant admin consent for
      yourOrganization
      .
    office365-grant-access.png

Recommended For You