When adding an M365 tenant to Safetica, you can apply protection either to the whole tenant or to a specific subset of users. To protect selected users, create a Microsoft Graph query specifying criteria such as country or department.
Introduction
When adding a Microsoft 365 tenant to Safetica, protecting and syncing all your tenant users to Safetica console might not be desirable. For this scenario, we offer the option to specify which M365 tenant users to include in Safetica Cloud Protection and which to filter out.
To apply protection to a subset of M365 tenant users, follow these steps:
You can only specify the subset of tenant users while adding a new M365 tenant.
1. Prepare a Microsoft Graph query
First of all, prepare a Microsoft Graph query that will include only the desired subset of users. You must decide which users should be protected and identify what common characteristics they share (e.g., country or department, etc.).
To be able to write the Microsoft Graph query, you must be familiar with Microsoft Graph API.
To define the query:
1. Open Microsoft Graph Explorer and sign in with your global admin account.
2. Go to Users > All users in the organization.
3. Based on the shared attributes of your user subset, choose the appropriate query parameters to narrow the selection to users you want to cover by Safetica Cloud Protection.
Example: Query to protect only users that are part of a specific country:
https://graph.microsoft.com/v1.0/users/?$filter=Country eq 'Czech Republic'
or
https://graph.microsoft.com/v1.0/users/?$filter=UsageLocation eq 'CZ'
Example: Query to protect only users that belong to a specific department (e.g. Finance):
https://graph.microsoft.com/v1.0/users/?$filter=Department eq 'Finance'
Queries with parameters "count=true" and "ConsistencyLevel=eventual" are currently not supported in the user filter.
4. Test and validate that your query returns the intended results in Microsoft Graph Explorer. There is no syntax validation in Safetica Console.
2. Paste the query into Safetica console
Once you validate that there are no syntax errors in your query and that it returns the desired results, you can:
1. Open Safetica console.
2. Go to Cloud services and click the Add M365 tenant tile.
3. Choose the Specific users option.
4. Paste the part of your prepared query that follows after $filter= into the text box.
Example: https://graph.microsoft.com/v1.0/users/?$filter=Country eq 'Czech Republic'
5. Click Continue and finish adding your M365 tenant.
The query cannot be changed after configuration. To change the subset of users protected by Safetica Cloud Protection, you must remove the tenant and add it again with a new query.
Where to see users and groups from your Microsoft 365 tenant
- Safetica will add and protect only those M365 tenant users that meet the criteria of your query. Syncing users takes about 5-10 minutes.
- Selected users appear in the Users section and selected groups in the Users > Teams tab. In the user tree, you will see them under Cloud users.
- Users who do not meet the query criteria should not be present there and should be excluded from the scope of Safetica Cloud Protection.
- If a user is both in Active Directory and in Azure Active Directory (Entra ID) (i.e. they already were somewhere in the user tree), they will remain visible in both places, and the user names will be paired.