Safetica CASB - how to protect a subset of M365 users

With release of Safetica 10.3.180 you have ability to apply CASB protection of Microsoft 365 data only on part of your tenant users.

📝 Note: Information in this article applies to Safetica ONE 10 or older.


For various reasons, protection all your Microsoft tenant users and synchronizing them to One console might not be desirable. For this scenario we added option to specify which M365 tenant users should be included and which must be filtered out.

Here's a list of steps summarizing the process:

  1. Define which users should be protected and identify what common characteristics these users share
  2. Prepare a Microsoft Graph query that will include only the desirable set of users
  3. Paste the query into Safetica Management Console

To be able to write the query, you will need to be familiar with Microsoft Graph API. You can test and validate that the query returns intended results using Microsoft Graph Explorer.

Step 1. Open Microsoft Graph Explorer and log in with your global admin account. Use endpoint Users > All users in the organization.

Depending on shared attributes of your user set, you will have to choose appropriate query parameters to narrow the selection only to those users you intend to cover by CASB.

⚠️ Caution:  Queries with parameters "count=true" and "ConsistencyLevel=eventual" are currently not supported in the user filter.


Examples
:

If you want to protect only users that are part of specific country, you would use following query

https://graph.microsoft.com/v1.0/users/?$filter=Country eq 'Czech Republic'

or

https://graph.microsoft.com/v1.0/users/?$filter=UsageLocation eq 'CZ'


If you want to protect only users who belong to specific department (Finance), you would use following query

https://graph.microsoft.com/v1.0/users/?$filter=Department eq 'Finance'


You should validate the results of your query by trying it out in the Microsoft Graph Explorer. There is no syntax validation in Safetica Management Console.

Once you validated that there are no syntax errors in your query and that it returns desired results, you can proceed to following part.

⚠️ Caution: Do not paste the whole query in Safetica Management Console. You should only paste the part that follows after the "$filter=".

Example: https://graph.microsoft.com/v1.0/users/?$filter=Country eq 'Czech Republic'


Step 3. Once you prepared the query, you can open Safetica Management Console and navigate to Maintenance > Integration settings > Office 365 integration

Here, set the toggle Protect only part of your M365 tenant users to Yes and then paste the query parameters to the text box. Click Save.

User filter

After you save these change, Safetica will synchronize and protect only those M365 users that meet the criteria of the filter query. You will be able to validate the results in user tree by inspecting list of users in node Cloud users. Users that do not meet the criteria should be excluded from here and should be out of scope of the Safetica CASB protection.


How to change or deactivate the query

The filter query cannot be changed or deactivated after it is configured by the Global Admin. To change the group of users protected by Safetica CASB, you must disable the Office 365 integration and then enable it again. Use the Switch to new Office 365 integration toggle to do so.