Enable SaaS API Data Loss Protection for Microsoft 365 Tenants

Prerequisites

Chrome or Firefox (recommended) with pop-up blockers and ad blockers disabled (only for the duration of authorization)
The user performing the installation must use a service account with a Microsoft 365 Global Admin and active license
SharePoint Online and OneDrive must be enabled
Audit log must be enabled for Microsoft 365. For more information, refer to Microsoft technical documentation and search for Turn auditing on or off.
The following IP addresses must be allowed if there are Firewall rules that prevent third-party applications:
146.112.161.0/24
146.112.163.0/24
146.112.165.0/24
146.112.167.0/24
Users must have the following API permissions for Microsoft:

API/ Permissions Name	Type	Description	Admin Consent Required
Microsoft Graph
Directory.AccessAsUser.All	Delegated	Access directory as the signed-in user	Yes
Directory.Read.All	Application	Read directory data	Yes
Files.Read.All	Delegated	Read all files that user can access	No
Files.Read.All	Application	Read files in all site collections	Yes
Sites.Read.All	Delegated	Read items in all site collections	No
User.Read	Delegated	Sign in and read user profile	No
User.Read.All	Application	Read all users' full profiles	Yes
Microsoft 365 Management APIs
AcitivityFeed.Read	Application	Read activity data for the Organization	Yes
SharePoint
Site.FullControl.All	Application	Full control of all site collections	Yes
User.Read.All	Application	Read user profiles	Yes

Click Authorize New Tenant in the DLP subsection to add a Microsoft 365 tenant to your Umbrella environment.
In the Microsoft 365 Authorization dialog, check the checkboxes to verify you meet the prerequisites, then click Next.