Microsoft 365 Onboarding Guide
This guide provides the steps you need to follow in order to onboard Microsoft 365 accounts onto the Posture Management service.
This article will guide you through the following steps:
- Create and configure a Microsoft App Registration for Posture Management
- Assign read-only permissions to the new App Registration for Posture Management
- Add the Microsoft 365 application to the Posture Management service
- Log in to the Azure Portal
- Search for App Registrations and open the panel
- Click New Registration
- In the Name field, enter something to identify the new application, such as "Posture Management"
- In the Supported account types section select Accounts in this organizational directory only (Single tenant)
- Click Register
- From the new app Overview page, make a note of the Application (client) ID and Directory (tenant) ID. These are required in the last step.
- From the left navigation menu, select Certificates & Secrets
- Click New Client Secret
- Enter a name for the secret and select the expiry time to suit your company policy
- Click Add
- Copy the Value of the new secret from the table and keep it safe. Once you leave this section the secret will not be visible again. You will need the secret in the last step
- Click API Permissions on the left
- Remove the default User.Read permission and then click Add a permission and then Microsoft Graph and Application Permissions. Add the following one-by-one to the selector:
- Application.Read.All
- AuditLog.Read.All
- Policy.Read.All
- Reports.Read.All
- RoleManagement.Read.All
- User.Read.All
- UserAuthenticationMethod.Read.All
- Directory.Read.All
- Group.Read.All
- SecurityEvents.Read.All
- SharePointTenantSettings.Read.All
- Click Add Permissions
- To allow the use of PowerShell snippets to perform checks, click Add a Permission and then click the APIs my organization uses tab and select the Office 365 Exchange Online option:
- Next click Application Permissions and then Add Permissions. Scroll down to the Exchange folder, expand it and make sure Exchange.ManageAsApp is checked.
- Click Add Permissions
- Now click Grant admin consent for XXX Directory
- To activate checks using PowerShell (recommended), the Exchange Administrator role should be assigned to the newly created Posture Management app created in Step 4. Open the Microsoft Entra roles and administrators section and in the Search field enter Exchange Administrator
- Click on Exchange Administrator to open the Exchange Administrator Assignments page.
- Click the + Add Assignments button and in the Search field search for the "Posture Management" app created in Step 4, select it and click Add
- Your new "Posture Management" app should appear in the Assignments list
- Now we can configure the Posture Management service with your new Microsoft 365 application. Log in to the USS Dashboard and navigate to Products -> Posture Management.
- The Posture Management dashboard will open in a new tab. From the top ribbon, select Service Integration and then +
- Click Microsoft 365
- In the Tenant ID field paste in the Directory ID from step 7. In the Client ID field paste in the Application ID from step 7. In the Secret value field paste in the value from step 12
- Click Add
- Click Scan Now to begin scanning the application immediately, or wait for it to automatically scan on a daily basis
- One the first scan has finished you will be able to view the results in the Charts and Activity report tabs