Enable SaaS API Data Loss Protection for Microsoft 365 Tenants
Table of Contents
Prerequisites
- Chrome or Firefox (recommended) with pop-up blockers and ad blockers disabled (only for the duration of authorization)
- The user performing the installation must use a service account with a Microsoft 365 Global Admin and active license
- SharePoint Online and OneDrive must be enabled
- Audit log must be enabled for Microsoft 365. For more information, refer to Microsoft technical documentation and search for Turn auditing on or off.
- The following IP addresses must be allowed if there are Firewall rules that prevent third-party applications:
146.112.161.0/24
146.112.163.0/24
146.112.165.0/24
146.112.167.0/24 - Users must have the following API permissions for Microsoft:
API/ Permissions Name | Type | Description | Admin Consent Required |
---|---|---|---|
Microsoft Graph | |||
| Delegated | Access directory as the signed-in user | Yes |
| Application | Read directory data | Yes |
| Delegated | Read all files that user can access | No |
| Application | Read files in all site collections | Yes |
| Delegated | Read items in all site collections | No |
| Delegated | Sign in and read user profile | No |
| Application | Read all users' full profiles | Yes |
Microsoft 365 Management APIs | |||
| Application | Read activity data for the Organization | Yes |
SharePoint | |||
| Application | Full control of all site collections | Yes |
| Application | Read user profiles | Yes |
Authorize a Tenant
- Navigate to Admin > Authentication.
- Under Platforms, click Microsoft 365.
![auth-micro-new-tenant.jpg 1700](https://files.readme.io/4722a70-Authorize_a_tenant.png)
- Click Authorize New Tenant in the DLP subsection to add a Microsoft 365 tenant to your Umbrella environment.
- In the Microsoft 365 Authorization dialog, check the checkboxes to verify you meet the prerequisites, then click Next.
![auth-m365-sa-prereq.jpg 1338](https://files.readme.io/1576fa0-auth-m365-sa-prereq.jpg)
- Provide a name for your tenant, then click Next.
![auth-micro-tenant-name.jpg 1414](https://files.readme.io/f2c86eb-auth-micro-tenant-name.jpg)
- Click Next to be redirected to the Microsoft 365 login page.
![auth-micro-dlp-integration.jpg 1746](https://files.readme.io/fe07412-auth-micro-dlp-integration.jpg)
- Log in to Microsoft 365 with admin credentials to grant access.
![auth-0365-sign-in.jpg 562](https://files.readme.io/20453d3-auth-0365-sign-in.jpg)
You are redirected to the Umbrella Dashboard and a message appears showing the integration was successful.
- Click Done to complete.
Revoke Authorization
- Under Action, click Revoke. You can revoke any authorised tenant.
![auth-micro-dlp-revoke.jpg 1728](https://files.readme.io/8f9bab4-DLP_authorized_tenant.png)
- Confirm to proceed. The selected account will no longer be authorized.
![auth-micro-dlp-revoke-confirm.jpg 1324](https://files.readme.io/f9a844c-Revoke_Microsoft_365_Tenant.png)
Enable SaaS API Data Loss Protection for Webex Teams Tenants < Enable SaaS API Data Loss Protection for Microsoft 365 Tenants > Enable SaaS API Data Loss Protection for Dropbox Tenants
Updated 6 months ago