Begin Scanning a Microsoft Exchange App
Use SaaS Security API to scan and identify incidents
found when scanning assets and email attachments in your MS Exchange
app.
To connect a Microsoft Exchange app to SaaS
Security API and begin scanning assets, you need to:
- Ensure that you have a Microsoft Exchange or Office 365 account with Global Admin role.
- Grant Exchange API access to SaaS Security API.
- Add the Exchange app to SaaS Security API.
As
of July 2020, the Exchange integration on SaaS Security API is now
updated to optimize the permissions required for cloud app features.
To revoke unnecessary permissions that you granted previously and
that SaaS Security API no longer needs, reauthenticate the
Exchange app.
For information on which automated remediation
capabilities SaaS Security API supports with Google Drive, refer
to Supported Content, Remediation and Monitoring.
Add Exchange App
In order for SaaS Security API to scan assets,
you must consent to the following permissions during the course
of adding the Exchange app:
API | Permission | Description |
|---|---|---|
Microsoft Graph API | Read all users' basic profiles | Retrieves basic user information such as
display name, email address, and userId to display user information
on People page. |
Read all users' full profiles | Allows SaaS Security API to make a user API
call. SaaS Security API uses this permission for both Graph API
and Outlook Legacy Rest API. Additionally, allows SaaS Security
API to retrieve detailed user information (For example, user principle
name (UPN), job title, office location, phone number, etc), but SaaS
Security API discards all this information with the exception of UPN,
which SaaS Security API needs to retrieve user mailbox settings. | |
Read all user mailbox settings | Retrieves each user's mailbox settings (For
example, retention policy settings, email forward settings, public
folder access settings, and delegate rules settings), and then determines
if there is any security risk in those settings. | |
Read mail in all mailboxes | Retrieves and scan the user's email. | |
Read all hidden memberships | Not currently used, but SaaS Security API
plans to use this permission to detect memberships of hidden groups. | |
Read all groups | Not currently used, but SaaS Security API
plans to use this permission to scan group properties and detect
the members in the group. | |
Read calendars in all mailboxes | Allows SaaS Security API to access attachments
in calendar events. | |
Use Exchange Web Services with full access
to all mailboxes | Retrieves each user's mailbox settings (For
example, inbox rules and eDiscovery search configuration), and then
determines if there is any security risk in those settings. SaaS Security
API plans to use this permission to determine if the user owns any
public folders. | |
Read directory data | Allows SaaS Security API to retrieve and
scan for a list of users and groups. SaaS Security API uses this
permission for both Azure AD Legacy API and Graph API. | |
Read activity data for your organization | Allows SaaS Security API to read and log
activity data to display activity data on Activities page. |
- (Recommended) Add your Exchange domain as an internal domain.
- Log in to Microsoft Exchange or Office 365 using an account with privileges that will enable communication between SaaS Security API and the Microsoft Exchange app.Before you can establish communication between SaaS Security API and the Exchange app, you must:
- Go to http://portal.microsoftonline.com and log out of Exchange or Office 365.
- Log in to Exchange or Office 365 using an account that has the Global Admin role prior to adding the Exchange app to SaaS Security API.
- Add the Exchange app.
- Log in to SaaS Security.
- Select .
- SelectMicrosoft Exchange.
- Enter the login credentials for the account with Global Admin role privileges on the Microsoft Online page to which SaaS Security API redirects you.
- Review andAcceptthe changes that SaaS Security API can perform on your assets in Exchange.SaaS Security API requires these permissions to scan your assets on Exchange app.
- Next Step: Proceed to Customize Exchange App.
Customize Exchange App
- (Optional) Give a descriptive name to this app instance.
- Select the Exchange n link on the Cloud Apps list.
- Enter a descriptiveNameto differentiate this instance of Exchange from other instances you are managing.
- ClickDoneto save your changes.
- Next Step: Proceed to Identify Risks.
Identify Risks
When you add a new cloud app and enable scanning,
SaaS Security API automatically scans the cloud app against the
default data patterns and displays the match occurrences. You can
take action now to improve your scan results and identify risks.
- Start scanning the new Exchange app for risks.All email attachments in Exchange are scanned based on defined policies. Email content is scanned based on defined policies only if the sender or receiver of the email is from an external domain. Scanning only starts on installation, and assets without risks are not stored.
- During the discovery phase, SaaS Security API scans files and matches them against enabled default policy rules.Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, improve the results.
- (Optional) Modify match criteria for existing policy rules.
- (Optional) Add new policy rules.Consider the business use of your cloud app, then identify risks unique to your enterprise. As necessary, add new:
- (Optional) Configure or edit a data pattern.You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
