>
    Strata Copilot
    Onboard a Microsoft SharePoint App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard a Microsoft SharePoint App to SSPM
    Download PDF
    SaaS Security

    Onboard a Microsoft SharePoint App to SSPM

    Table of Contents

    Onboard a Microsoft SharePoint App to SSPM

    Connect a Microsoft SharePoint instance to SSPM to detect posture risks.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    To detect posture risks in your Microsoft SharePoint instance, SSPM connects to the instance by using information that you provide. Once SSPM connects, it scans the Microsoft SharePoint instance for misconfigured settings and will continue to run scans at regular intervals.
    Previously, you could onboard Microsoft SharePoint by supplying account credentials to SSPM. This enabled SSPM to access the account directly or through the Okta or Microsoft Azure identity providers. Once connected, SSPM would use data extraction techniques to scan your Microsoft SharePoint instance. In August 2025, we discontinued this earlier connector in favor of a new connector that accesses a Microsoft API to complete scans.
    This new connector, which uses OAuth 2.0 authorization to connect to your Microsoft SharePoint instance, has several advantages over the discontinued connector, such as the following advantages:
    • Because the connector uses OAuth 2.0, SSPM is able to request only the API scopes that it needs to complete its scans.
    • The new connector supports third-party plugin scans.
    • The new connector leverages the deep integration between Microsoft SharePoint and Microsoft OneDrive to scan both of these product instances. A separate connector for Microsoft OneDrive that used data extraction for scans was also discontinued in August 2025. You now onboard Microsoft OneDrive by using the new Microsoft SharePoint connector.
    If you already connected SSPM to your Microsoft SharePoint instance using the earlier connector, your established connection will continue to work. Similarly, if you already connected SSPM to your Microsoft OneDrive instance, that established connection will continue to work. However, if there is any change to the configuration information that you provided to SSPM (such as an updated login password), you will need to onboard the Microsoft SharePoint instance again by using the new connector described below. Note that there is no longer a separate connector for Microsoft OneDrive.

    Onboard a Microsoft SharePoint App Using OAuth 2.0

    Connect a Microsoft SharePoint instance to SSPM to detect posture risks.
    For SSPM to detect posture risks in your Microsoft SharePoint instance, you onboard your Microsoft SharePoint instance to SSPM. Through the onboarding process, SSPM connects to a Microsoft API to run configuration scans for misconfigured settings and scans for third-party plugins.
    Microsoft SharePoint and Microsoft OneDrive share the same core technology within the Microsoft 365 ecosystem. Because of this deep integration, onboarding Microsoft SharePoint effectively also onboards Microsoft OneDrive. SSPM scans both Microsoft SharePoint and Microsoft OneDrive.
    To onboard your Microsoft SharePoint instance, you complete the following actions:
    1. Identify the account for granting SSPM access.
      During the onboarding process, SSPM redirects you to log in to Microsoft SharePoint. After you log in, Microsoft SharePoint will prompt you to grant SSPM the access it needs.
      Required Permissions: The account that you use to connect SSPM to your Microsoft SharePoint instance must be assigned to the Global Administrator role.
      SSPM will use this account to establish a connection to your Microsoft SharePoint instance. After SSPM establishes the connection, it will perform an initial scan of your Microsoft SharePoint instance, and will then run scans at regular intervals. The account that you use to establish the initial connection with SSPM must remain available. For this reason, we recommend that you use a dedicated service account to grant SSPM access. If you delete the service account, or change the account's password, the scans will fail and you will need to onboard.
      When you onboard Microsoft SharePoint, the onboarding screen lists the API scopes that SSPM requires for each type of scan that it can run. Navigate to the onboarding screen (as described below) for Microsoft SharePoint and verify that the account you're using has the necessary permissions. After establishing a connection, SSPM will notify you if it's unable to run certain scans because the account did not have the permission to grant access to certain scopes.
    2. Log out of all Microsoft SharePoint accounts.
      Logging out of all Microsoft SharePoint accounts helps ensure that you log in under the correct account during the onboarding process. Some browsers can automatically log you in by using saved credentials. To ensure that the browser does not automatically log you in to the wrong account, you can turn off any automatic log-in option or clear your saved credentials.
      Alternatively, you can prevent the browser from using saved credentials by opening SSPM in an incognito window.
    3. Connect SSPM to your Microsoft SharePoint instance.
      In SSPM, complete the following steps to enable SSPM to connect to your Microsoft SharePoint instance.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the Microsoft SharePoint tile.
      3. On the Posture Security tab, Add New instance.
      4. Select the option for OAuth 2.0.
      5. Examine the required scope permissions and Proceed to Credentials.
        SSPM redirects you to the Microsoft login page.
      6. Log in to your Microsoft SharePoint account.
        Microsoft SharePoint displays a consent form that details the access permissions that SSPM requires.
      7. Review the consent form and allow access.

    © 2026 Palo Alto Networks, Inc. All rights reserved.