CLOUD SERVICES
      Back to home
      1. Safetica
      2. MANAGEMENT: Manage your environment
      3. CLOUD SERVICES

      How to add a Microsoft 365 tenant

      Integrate Microsoft 365 with Safetica to start protecting your data in the cloud. Learn how to select the users that will be protected, how to authenticate, and what permissions need to be granted to Safetica.

      Introduction

      Safetica Cloud Protection extends the scope of DLP protection from devices to the cloud. Before you can activate the protection for your Microsoft 365 emails and files, you must add your Microsoft 365 tenant.

      In this article, you will learn more about:

       

      Adding your Microsoft 365 tenant

      1. In Safetica console, go to Cloud services, and click the Add M365 tenant tile.


        2.  Choose whether to protect all your M365 users or a specific subset, such as a particular organization unit. If you select Specific users, users outside the defined subset will be ignored by Safetica Cloud Protection. Learn how to specify this selection in this article

      The selected subset cannot be changed once it is configured. To change it, you must remove the tenant and add it again. During the process, you will be able to select a new subset of users.

        3.  In the next step, authenticate via a Microsoft account with Global Admin role. You don't need to specify which Microsoft tenant you want to protect, Safetica determines that based on the account you use for authentication.

        4.  You will be asked to grant the following permissions to Safetica:

      • User.Read.All (Read all users' full profiles) - to download the user list from Azure Active Directory (Entra ID) and show the user name in each record in Safetica console.
      • ActivityFeed.Read (Read activity data for your organization) - to download records originating in Microsoft OneDrive and SharePoint.
      • Files.ReadWrite.All - to download files that are shared for DLP evaluation and to cancel sharing operations that violate configured policies.

      • Group.Read.All - to assign cloud users to teams based on their group assignments in Azure Active Directory (Entra ID).

      • InformationProtectionPolicy.Read.All - to automatically create data classification entries based on your MIP labels.

        5.   The last step is informative. At this point, you only added your Microsoft 365 tenant to Safetica, but no protection features were activated.

      Proceed to activate email or file protection based on these articles:

       

         

         

        Viewing users and groups from your Microsoft 365 tenant

        • After adding your Microsoft 365 tenant, the syncing of users takes about 5-10 minutes.
        • Tenant users appear in the Users section; tenant groups appear in the Users > Teams tab.
        • The tenant also becomes visible in the user tree. In the Cloud users team, you will find:
          • Users that we found in the tenant (tenant is named safeticademo in the picture below). All cloud users are listed here (even if they were listed somewhere else in the user tree), so you might see duplicates.
          • External users - anonymous and guest users that are not part of your Microsoft 365 tenant. When such users handle files in your tenant, their actions are recorded under these entities.

        Teams imported from Azure Active Directory (Entra ID) are highlighted with a blue tree icon and cannot be edited in any way (can't be removed, moved, renamed, and you can't add/remove users or child teams).

         

        Read next

        Cloud services: How to activate and deactivate email protection in Microsoft 365

        Cloud services: How to activate file protection in Microsoft 365

        Cloud services: How to protect a subset of Microsoft 365 users