Explanation of Office 365 Securlet permission requirements
search cancel

Explanation of Office 365 Securlet permission requirements

book

Article ID: 243948

calendar_today

Updated On:

Products

CASB Security Advanced CASB Security Premium CASB Security Standard CASB Securlet SAAS

Issue/Introduction

This KB will help you understand why CloudSOC requires Global Administrator (GA) permissions to activate the Office 365 Securlet and what transpires during the activation process as it relates to the permissions that are assigned to the CloudSOC app by Microsoft.

Environment

CloudSOC

Office 365 Securlet

Microsoft 365 Subscription

Cause

You are deploying the Office 365 Securlet in CloudSOC and have concerns about providing Global Administrator permissions to activate the Securlet.

Resolution

During the Office 365 Securlet activation, the CloudSOC System Administrator leverages a Global Administrator account in Microsoft 365 to assign the appropriate app-based permissions that CloudSOC will use for interaction with Microsoft’s APIs.

Note: The authentication token generated during activation does not retain all of the GA permissions, just the necessary administrative permissions required by CloudSOC during the Office 365 activation.

Note: The Global Administrator permissions are only required during the activation process. The GA user account can be disabled after the activation is completed due to the integration using app-based permissions.

 

Additional Information

Microsoft 365 includes many features and apps in its service that require different administrative permissions for CloudSOC to manage them. Here are two additional Microsoft links with helpful information on how the app registration process works with Microsoft:

  • https://docs.microsoft.com/en-us/azure/active-directory/develop/consent-framework
  • https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent