>
    Strata Copilot
    Onboard M365 Copilot to SaaS Agent Security
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Agent Security
    3. Onboard AI Agent Platforms to SaaS Agent Security
    4. Onboard M365 Copilot to SaaS Agent Security
    Download PDF
    SaaS Agent Security

    Onboard M365 Copilot to SaaS Agent Security

    Table of Contents

    Onboard M365 Copilot to SaaS Agent Security

    Onboard M365 Copilot to SaaS Agent Security to gain deep visibility and security for your M365 Copilot platform and apps.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Agent Security license
    Or any of the following licenses that include the SaaS Agent Security license:
    • CASB-X
    • CASB-PA
    • SaaS Security Posture Management license
    Microsoft 365 Copilot is an AI-powered assistant integrated into Word, Excel, PowerPoint, Outlook, Teams, and other Microsoft 365 apps, using Large Language Models (LLMs) and your organization's data to help with tasks like drafting content, analyzing data, summarizing meetings, and generating ideas, all while respecting security and privacy. It acts as a "copilot" by streamlining workflows, boosting creativity, and increasing productivity by turning natural language prompts into actions and insights within your familiar work environment. Onboard M365 Copilot to SaaS Agent Security to gain deep visibility and security for your M365 Copilot platform and apps.
    Prerequisites
    • To access M365 Copilot and start building custom agents, your organization must have a Microsoft 365 Copilot license. If you would like to explore these capabilities, coordinate with your IT Administrator or Microsoft Sales representative to ensure the proper licensing is in place. M365 Copilot is a Microsoft-native product, not a feature developed or managed by Palo Alto Networks.
    • To manage Microsoft 365 Copilot agents and settings, your account must be assigned a specific administrative role. You can verify your current access level by viewing the agent list. While a Global Administrator has full control over the entire organization, Microsoft recommends using the AI Administrator role. This is a dedicated persona designed specifically for managing Copilot features and agent governance without granting unnecessary access to other parts of your system. If you only need to monitor the environment, the Global Reader role provides "view-only" access, allowing you to see agent status and availability without the ability to make changes or upload new packages. Consult your internal IT team to ensure one of these roles is assigned to your account and you list agents via the URL mentioned above.
    • In the Setting tab, select Active for assignment type and Permanently assigned for assignment duration. Add a justification for your settings and Assign.
    Configure OATH TOTP as the Default Authentication Method
    To avoid a misconfiguration, ensure that you complete the following steps EXACTLY in the sequence provided. Deviating from this order can lead to authentication errors or service disruption.
    To ensure a standardized login experience and avoid proprietary push notifications, configure Microsoft Entra ID to use Open Authentication (OATH) Time-based One-Time Password (TOTP). This allows users to authenticate using any standard authenticator application. You must have Global Administrator or Privileged Role Administrator permissions in the Entra admin center. The Combined Security Information Registration experience must be enabled for the tenant. Ensure that Third-party software OATH tokens are enabled under Protect & secureAuthentication methods Policies in the Entra portal.
    1. Prepare the User Account.
      1. Sign in to the Microsoft Entra admin center.
      2. Navigate to Entra IDUsersAll users and select the target user.
      3. Select Authentication methods from the left-side navigation.
      4. If existing methods (such as Microsoft Authenticator Push) are present and you wish to force a reset, delete the existing methods.
    2. Initiate MFA Registration.
      1. Open a private browser session and sign in to the Microsoft 365 Admin Center.
      2. In the Let's keep your account secure page, click Next.
    3. Configure the Authenticator App. On the Install Microsoft Authenticator page, where the system defaults to the Microsoft Authenticator notification, select Setup a different authentication app.
    4. In the Setup your account in app page, click Next.
    5. Extract the Secret Key.
      1. On the Scan the QR code page, select the Can't scan QR code? link.
      2. Record the Account name and the Secret key.
      3. Store the secret key in a secure location, such as a password manager, for later onboarding or recovery.
      4. Click Next.
    6. Verify the Token.
      1. Enter the secret key into your preferred OATH-compliant application (e.g., Google Authenticator, Authy, or a hardware token).
      2. Click Next in the Microsoft portal.
      3. Enter the 6-digit code generated by your app to verify the sync.
      4. Click Next and then Done to complete the setup.
    7. Register Microsoft Authenticator: Microsoft requires you to add the Microsoft Authenticator as a mandatory authentication method, even if OATH TOTP is currently your default. If you do not register the Microsoft Authenticator app, you will receive three consecutive login reminders. After the third notification, Microsoft enforces a lockout until the app is successfully configured. So, ensure that you add Microsoft Authenticator as a mandatory authentication method. Perform the following steps to add Microsoft Authenticator as a mandatory authentication method:
      Prerequisites
      • Ensure you have the Microsoft Authenticator app installed on your mobile device.
      • Log in to the Admin Portal. If the setup screen does not appear automatically, proceed to the steps below.
      Steps to Add Microsoft Authenticator
      1. Navigate to Security Info: Select your profile icon in the top-right corner and click View Account. You are redirected to the mysignins.microsoft.com/security-info page or navigate to the Security Info page from the left navigation section.
      2. Access Sign-in Methods: In the left navigation pane, select Security Info.
      3. Add a New Method: Click + Add sign-in method. From the drop-down menu, select Microsoft Authenticator app and click Add.
      4. Initialize App Setup: When the Start by getting the app screen appears, click Next. On the Set up your account in app screen, click Next again to reveal the QR code.
      5. Scan the QR Code: Open the Microsoft Authenticator app on your mobile device. Add a new account and scan the QR code displayed on your computer screen. Once scanned, click Next.
      6. Verify the Connection: The portal displays a two-digit number. Enter this number into the prompt on your mobile device to complete the test notification.
      7. Finalize Registration: Once the Notification approved message appears, click Next, then click Done.
      8. Verification: Confirm that Microsoft Authenticator now appears in your list of registered Sign-in methods.
    8. Confirm the Default Sign-in Method.
      1. Return to the Microsoft Entra admin centerUsersAuthentication methods.
      2. Verify that Software OATH token is now listed.
      3. Select Add authentication method or Change default manual method (if available) to ensure Third-party software OATH token is the primary requirement.
    To access your M365 Copilot instance, SaaS Agent Security requires the following Azure information, which you will specify during the onboarding process.
    ItemDescription
    Azure EmailAn Azure email address refers to an email address used with Azure Communication Services (ACS), a cloud service that allows applications to send and receive emails
    Azure PasswordAn Azure password is a credential for a user to access resources within an Azure environment, managed by Azure Active Directory (now Microsoft Entra ID)
    Azure 2FA SecretAn Azure TOTP secret is a shared secret key that is used to generate Time-based One-Time Passwords (TOTP) for multi-factor authentication (MFA). This key, often a Base32-encoded string, is generated by Azure and shared between the Azure service and the user's authenticator app (like Microsoft Authenticator). Both the service and the app use this secret, along with the current time, to independently and securely generate the same six-digit code that changes every 30 seconds.
    1. To start onboarding M365 Copilot to SaaS Agent Security, log in to Strata Cloud Manager.
    2. Select AI SecuritySaaS AgentsAgent Platform OnboardingOnboard Agent PlatformM365 Copilot.
    3. Ensure you have completed all the three steps mentioned in the following onboarding wizard and then Get Started.
    4. On the Authorization Method Selection page, the CREDENTIALS method is selected by default. Click Next.
      The CREDENTIALS method uses data extraction to fetch the agent activity details from your SaaS application tenant.
    5. Click Azure to select the SSO provider.
    6. Enter the following information in the SSO Provider details page and Complete:
      • Email address
      • Password
      • Azure 2FA secret (if you did not set up a 2FA secret in your Azure account, enter any random text to complete the step).
    7. Specify a custom name for your M365 Copilot instance if needed and click Done.
      SaaS Agent Security establishes the connection and validates the credentials and permissions. After the validation is successful, you will see the following confirmation message.
    8. SaaS Agent Security immediately begins to scan your onboarded agentic platform after a successful validation.
      The amount of time SaaS Agent Security takes to scan varies based on the amount of data it is required to scan. At a minimum, it takes at least one hour to scan and display data in the SaaS Agent Security dashboard.

    © 2026 Palo Alto Networks, Inc. All rights reserved.