How to add a Microsoft 365 tenant

Integrate Microsoft 365 with Safetica to synchronize your Entra ID and start protecting your data in the cloud. Learn why adding your M365 tenant is beneficial, how to do it, and what permissions need to be granted to Safetica.

In this article, you will learn:

 

Introduction: Why to add your Microsoft 365 tenant

By adding your Microsoft 365 tenant to Safetica, you will:

  • Connect to your company's cloud environment.
  • Synchronize your Entra ID and its:
    • users (accounts)
    • security groups
    • MIP labels
  • Extend the scope of DLP protection from devices to the cloud.
  • Get access to Exchange and Outlook protection, so that you can audit and actively protect emails sent by your Microsoft 365 users.
  • Get access to SharePoint protection, so that you can audit and protect files in SharePoint, OneDrive for business, and Teams (ability to control file sharing via policies).

❗If you have the Safetica Essentials license, only your Entra ID structure (users and security groups) will be synchronized. To enable all the other features (audit and protection in the cloud), you must purchase the Safetica Pro license.

 

 

How to add your Microsoft 365 tenant

  1. In Safetica console, go to Cloud services, and click the Add M365 tenant tile.


  2.  User scope: Choose whether to synchronize all your M365 users or a specific subset, such as a particular organization unit. If you select Specific users, users outside the defined subset will be ignored and not synchronized. Learn how to specify this selection in this article

❗The selected subset cannot be changed once it is configured. To change it, you must remove the tenant and add it again. During the process, you will be able to select a new subset of users.

  3.  Access permissions: Authenticate via a Microsoft account with Global Admin role. You don't need to specify which Microsoft 365 tenant you want to add, Safetica determines that based on the account you use for authentication.

You will be asked to grant the following permissions to Safetica:

  • User.Read.All (Read all users' full profiles) - to download the user list from Entra ID and show the user name in each record in Safetica console.
  • ActivityFeed.Read (Read activity data for your organization) - to download records originating in Microsoft OneDrive and SharePoint.
  • Files.ReadWrite.All - to download files that are shared for DLP evaluation and to cancel sharing operations that violate configured policies.
  • Group.Read.All - to assign cloud users to teams based on their group assignments in Entra ID.

  • InformationProtectionPolicy.Read.All - to automatically create data classification entries based on your MIP labels.

❗Manage access permissions

If you cannot or do not want to grant these access permissions to Safetica, you can customize them. This can be useful, for example, for customers who only have Entra ID but not Microsoft 365. 

  • Check the Manage access permissions manually (not recommended) checkbox and then click Continue with authentication.
  • Download and run this configuration script in PowerShell.
  • ❗To run the script correctly, you need to have installed Azure CLI.

  • To only synchronize users, security groups, and MIP labels, press E.
  • To enable permissions for Microsoft Exchange protection, press M.
  • To enable permissions for Microsoft SharePoint protection, press S.

Please note that this option requires increased maintenance on the customer side.

  4.   Added M365 tenant: The last step is informative. At this point, you only added your Microsoft 365 tenant to Safetica and synchronized its users, security groups, and MIP labels. No protection features were activated.

  5.  After the tenant is added, you can click its tile

to see its details

     

    More about synchronized users, security groups, and MIP labels

    ✍️After your Microsoft 365 tenant is added, the syncing of users takes about 5-10 minutes.

    Synchronized users and security groups will be visible under the Cloud protection team in the user tree and in the Users section. They are synced every 4 minutes. To learn more about synchronized users and teams, click here.

    Synchronized MIP labels can be found in the Data classification section. They are detected as 3rd party classifications, and you can recognize them by their MIP prefix. MIP labels are synchronized every day (labels that are not active in the tenant are synced into Safetica console as disabled). You can edit them as needed, and they are kept in the list of data classifications even if they are deleted in the tenant.

     

    FAQ

    Can I add multiple M365 tenants?

    No, for now, it is only possible to add one Microsoft 365 tenant.

     

    Read next

    Introducing Safetica Cloud Protection

    How to synchronize a subset of Microsoft 365 users

    Activating and deactivating Microsoft Outlook protection

    Activating and deactivating Microsoft Exchange protection

    Activating and deactivating Microsoft SharePoint protection