When adding an M365 tenant to Safetica, you can synchronize either the whole tenant or a specific subset of users. To sync selected users, create a Microsoft Graph query specifying criteria such as country or department.
Introduction
✍️To synchronize users from your Entra ID, you must first add your Microsoft 365 tenant. Learn more about it here.
When adding a Microsoft 365 tenant to Safetica, syncing and protecting all your tenant users might not be desirable. For this scenario, we offer the option to specify which M365 tenant users to synchronize and which not.
To synchronize only a subset of M365 tenant users, follow these steps:
❗You can only specify the subset of tenant users while adding a new M365 tenant.
You can also learn how to synchronize a subset of users from an Entra ID security group.
1. Prepare a Microsoft Graph query
First of all, prepare a Microsoft Graph query that will include only the desired subset of users. You must decide which users should be synchronized and identify what common characteristics they share (e.g., country or department, etc.).
❗To be able to write the Microsoft Graph query, you must be familiar with Microsoft Graph API.
To define the query:
1. Open Microsoft Graph Explorer and sign in with your global admin account.
2. Go to Users > All users in the organization.
3. Based on the shared attributes of your user subset, choose the appropriate query parameters to narrow the selection to users you want to synchronize.
Example: Query to synchronize only users that are part of a specific country:
https://graph.microsoft.com/v1.0/users/?$filter=Country eq 'Czech Republic'
or
https://graph.microsoft.com/v1.0/users/?$filter=UsageLocation eq 'CZ'
Example: Query to synchronize only users that belong to a specific department (e.g. Finance):
https://graph.microsoft.com/v1.0/users/?$filter=Department eq 'Finance'
4. Test and validate that your query returns the intended results in Microsoft Graph Explorer. There is no syntax validation in Safetica console.
2. Paste the query into Safetica console
Once you validate that there are no syntax errors in your query and that it returns the desired results, you can:
1. Open Safetica console.
2. Go to Cloud services and click the Add M365 tenant tile.
3. Choose the Specific users option.
4. Paste the part of your prepared query that follows after $filter= into the text box.
Example: https://graph.microsoft.com/v1.0/users/?$filter=Country eq 'Czech Republic'
5. Click Continue and finish adding your M365 tenant.
❗The query cannot be changed after configuration. To change the subset of users synchronized with Safetica, you must remove the tenant and add it again with a new query.
✍️Safetica will synchronize only those M365 tenant users who meet your query criteria. Users who do not meet the query criteria should not be synchronized and visible in Safetica console.
To learn more about users and groups synced from your Microsoft 365 tenant, click here.
How to synchronize users from an Entra ID security group
Suitable for advanced use case only: If you are unable to write a Microsoft Graph query based on existing Entra ID properties and the only way to distinguish the desired subset of users is by their membership in a security group, you may use the steps mentioned below as a workaround.
If you want to synchronize a subset of users from one of your Entra ID security groups:
- Download and run this configuration script in PowerShell.
- To run the script correctly, you need to have installed Azure CLI and the ExchangeOnlineManagement Powershell module.
- The script will set a custom attribute to the users from the given security group so that they can be synchronized when adding your tenant.
- Afterwards, paste the following query into Safetica console as mentioned above: onPremisesExtensionAttributes/extensionAttribute15 eq 'Safetica'
❗Limitation: If you add new users into the security group, they will not be synced to Safetica automatically. To see these newly added users in Safetica, you must run the configuration script again.
Read next
Introducing Safetica Cloud Protection
How to add your Microsoft 365 tenantActivating and deactivating Microsoft Outlook protection
Activating and deactivating Microsoft Exchange protection
Activating and deactivating Microsoft SharePoint protection