Guides
ProductDeveloperPartnerPersonal

Enable Cloud Malware Protection for Microsoft 365 Tenants

Umbrella supports Cloud Malware protection for both OneDrive and SharePoint sites within your Microsoft 365 deployment.

Note on running both MS365 and Cloud Malware: MS365 and Cloud Malware both protect users against malware. However, their functionalities are not redundant. MS365 might discover malware that Cloud Malware does not find. Cloud Malware also finds malware that MS365 overlooks. There is value to running MS365 and Cloud Malware simultaneously.

Table of Contents

Prerequisites

  • Chrome or Firefox (recommended) with pop-up blockers and ad blockers disabled (only for the duration of authorization).
  • The user performing the installation must use a service account with a Microsoft 365 Global Admin and active license.
  • Audit log must be enabled for Microsoft 365. For more information, refer to Microsoft Technical documentation and search for Turn auditing on or off.
  • SharePoint Online and OneDrive must be enabled.
  • The following IP addresses must be allowed if there are Firewall rules that prevent third-party applications:
    146.112.161.0/24
    146.112.163.0/24
    146.112.165.0/24
    146.112.167.0/24
  • If you use Conditional Access Policy (CAP) to restrict access to your Microsoft 365 tenant, you must grant the above Umbrella IP addresses access in the CAP. You must also grant your current egress IP access in the CAP. These IP addresses are cached by Microsoft and used as part of the conditional access checks.
  • Users must have the following API permissions for Microsoft:

API/ Permissions Name

Type

Description

Admin Consent Required

Microsoft Graph

  1. Directory.AccessAsUser.All

Delegated

Access directory as the signed-in user

Yes

  1. Directory.Read.All

Application

Read directory data

Yes

  1. Files.Read.All

Delegated

Read all files that user can access

No

  1. Files.Read.All

Application

Read files in all site collections

Yes

  1. Sites.Read.All

Delegated

Read items in all site collections

No

  1. User.Read

Delegated

Sign in and read user profile

No

  1. User.Read.All

Application

Read all users' full profiles

Yes

Microsoft 365 Management APIs

  1. AcitivityFeed.Read

Application

Read activity data for the Organization

Yes

SharePoint

  1. Site.FullControl.All

Application

Full control of all site collections

Yes

  1. User.Read.All
ApplicationRead user profilesYes

Limitation

  • A tenant that fails to authenticate cannot be deleted.

Authorize a Tenant

  1. Navigate to Admin > Authentication.
  2. Under Platforms, click Microsoft 365.
  1. Click Authorize New Tenant in the Cloud Malware subsection to add a Microsoft 365 tenant to your Umbrella environment.
  1. In the Microsoft 365 Authorization dialog, check the checkboxes to verify you meet the prerequisites, then click Next.
  1. Provide a name for your tenant, then click Next.
  1. Select a Response Action for Umbrella to apply to Microsoft 365 files found with malware, then click Next.
  • Choose Monitor to cause Umbrella to log files detected with malware. You will be able to manually quarantine these files from the Cloud Malware report.
  • Choose Quarantine to:
  • Move the file into a folder named Cisco_Quarantine_Malware in the root path of the admin who authorized the tenant, remove all collaborators, and change the file owner to the Microsoft 365 admin.
  • Replace the file in its original location with a text file named filename.ppt_Cisco_Quarantined.txt explaining to the original file owner that the file is identified as malware and for more information to contact their organization administrator.
  1. Click Next to be redirected to the Microsoft 365 login page.
  1. Log in to Microsoft 365 with admin credentials to grant access.
562

You are redirected to Umbrella and a message appears showing the integration was successful. It may be up to 24 hours for the integration to be confirmed and appear as Authorized.

  1. Click Done to complete.

Edit a Tenant

You can change the Response Action you have selected for a tenant.

  1. Navigate to Admin > Authentication.
  2. Under Platforms, click Microsoft 365.
  3. In the Cloud Malware section , under Action, click Edit. You can edit any tenant.
  1. Select a Response Action for Umbrella to apply to Microsoft 365 files found with malware, then click Next.
    • Choose Monitor to cause Umbrella to log files detected with malware. You will be able to manually quarantine these files from the Cloud Malware report.
    • Choose Quarantine to:
    • Move the file into a folder named Cisco_Quarantine_Malware in the root path of the admin who authorized the tenant, remove all collaborators, and change the file owner to the Microsoft 365 admin.
    • Replace the file in its original location with a text file named filename.ppt_Cisco_Quarantined.txt explaining to the original file owner that the file is identified as malware and for more information to contact their organization administrator.
  1. Click Next to complete.
  1. The new Response Action is displayed.

Revoke Authorization

  1. Under Action, click Revoke. You can revoke any authorized tenant.
  1. Confirm to proceed. The selected account will no longer be authorized.

Enable Cloud Malware Protection for Box Tenants < Enable Cloud Malware Protection for Microsoft 365 Tenants > Enable Cloud Malware Protection for Webex Teams Tenants