This KB will help you understand why CloudSOC requires Global Administrator (GA) permissions to activate the Office 365 Securlet and what transpires during the activation process as it relates to the permissions that are assigned to the CloudSOC app by Microsoft.

CloudSOC

Office 365 Securlet

Microsoft 365 Subscription

You are deploying the Office 365 Securlet in CloudSOC and have concerns about providing Global Administrator permissions to activate the Securlet.

During the Office 365 Securlet activation, the CloudSOC System Administrator leverages a Global Administrator account in Microsoft 365 to assign the appropriate app-based permissions that CloudSOC will use for interaction with Microsoft’s APIs.

A Service Account (not tied to a physical user) is recommended for both the Global Admin and the CloudSOC SySadmin as rights are based off that user during activation.  If the user gets deleted or disabled the rights or token is disabled and would cause an outage.

Note: The authentication token generated during activation does not retain all of the GA permissions, just the necessary administrative permissions required by CloudSOC during the Office 365 activation.

Note: The Global Administrator permissions are only required during the activation process. The GA user account can be disabled after the activation is completed due to the integration using app-based permissions.

Microsoft 365 includes many features and apps in its service that require different administrative permissions for CloudSOC to manage them. Here are two additional Microsoft links with helpful information on how the app registration process works with Microsoft:

• https://docs.microsoft.com/en-us/azure/active-directory/develop/consent-framework
• https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent