M365 Manual Onboarding of SharePoint, OneDrive, or Teams

Step 1. Configure Azure Access

Create a New app registration

1. Go to portal.azure.com.

2. Select App registrations.

   

3. Select New registration.

   

4. Enter the Name for the app, then select the second account type (Multitenant). Select Register.

   

5. Copy and save the Application (client) ID and Directory (tenant) ID.

   When you hover over these IDs, you will see an option to Copy to clipboard for each ID. These IDs will be used later so make sure you can find them.

   

Add A Client Secret

1. On the same screen, select Add a certificate or secret.

   

2. Under Client secrets, select New client secret.

   

3. Enter a Description and select when the secret Expires from the dropdown options. Select Add.

   

4. Copy the new client secret Value to your notepad to use later.

   

At this point, you should have saved details for the following entities (from the previous steps):

• Application (client) ID  This will be the value used for client_id.
• Secret Value  This will be the value used for client_secret.
• Directory (tenant) Id  This will be the value used for tenant_id.

These values will be used as input for creating the AWS secrets and the Azure secrets in the following sections.

Set API Permissions

1. Select API permissions from the left menu.

   

2. Select Add a permission.

   

3. Select Microsoft Graph.

   

4. Request API permissions:

   1. Select Application permissions.
   2. Start typing the permission name into the search box to pull up a list.
   3. Once the permission group you want appears with the arrow you can select to view specific permissions.

   4. Select the checkbox(es) for the following permissions based on which Microsoft Application you are onboarding.

      The details for each of these permissions are as follows:

      Base Permissions:
      AuditLog.Read.All  Permission to review the audit logs and check which users are dormant.
      Reports.Read.All  Permission to get the total number of files across all sites and how many are active files.
      Group.Read.All  Read group properties and memberships.
      GroupMember.Read.All  Read membership and basic group properties for all groups.
      Application.ReadWrite.OwnedBy  Detect secret expiration.

      For OneDrive:
      Directory.Read.All  Allows the app to read data in the organization’s directory, such as users, groups and apps.

      For Sharepoint:
      Sites.Read.All  Allows the application to read documents and list items in all site collections on behalf of the signed-in user.

      For Teams:
      Team.ReadBasic.All  Get a list of all teams, without a signed-in user.
      TeamMember.Read.All  Read the members of all teams, without a signed-in user.
      Channel.ReadBasic.All  Read all channel names and channel descriptions, without a signed-in user.
      ChannelMember.Read.All  Read the members of all channels, without a signed-in user.

5. After selecting the checkbox for AuditLog.Read.All, enter the text for the next item in the search box to find the group it is in. You can select all the permissions listed above and then add them all at once.

   

6. Once you have selected the permission, select the Add permissions button.

   

7. Select Grant admin consent for MSFT. Select Yes in the pop up box to confirm.

   

Step 2. Sidecar Configuration

Sharepoint, OneDrive and Teams can be onboarded to DSPM with either AWS or Azure as the sidecar. Based on the cloud provider which is being used as sidecar, the steps specific for them are detailed below.

Prerequisites

1. AWS Account or Azure Account can be used as a sidecar for scanning your data, keeping your data within your boundary.
2. For using AWS Account as sidecar account it must be onboarded to DSPM first, with an Onboarding Version of 64 or later.
3. For using Azure Account as sidecar account it must be onboarded to DSPM first with the configuration option “Use as SaaS Sidecar” checked , with an Onboarding Version of 17 or later.

AWS as Sidecar

Configure AWS Secrets Manager

The values copied in Azure App registration section need to be added to the AWS Secret manager, which then is used by DSPM to connect to Microsoft Sharepoint / OneDrive / Teams application.

Add Azure App Credentials to AWS Secrets Manager

1. Go to https://console.aws.amazon.com/secretsmanager.
   1. Choose Store a new secret.
   2. Select Other type of secret.
   3. Select Plaintext.

   4. Copy and paste the details below with your IDs and values from the previous step in the following format:

      {
      "client_id": "<copied Application (Client) ID>",
      "client_secret": "<copied Client Secret Value>",
      "tenant_id": "<copied Directory (Tenant) ID>"
      }

      

2. Add the Secret Name and a description. Then add the following as the Tag:

   Key: Name

   Value: Normalyze

   

3. Select Next (twice) to continue and Store on the final screen to save your secret.

4. Select the Secret name in the screen that appears and copy the Secret ARN shown.

   

Azure as Sidecar

The values generated from the Azure App Registration section here are used as input to create the Secret under Azure Key Vault. This key vault is used by DSPM to connect to the Sharepoint, OneDrive or Teams application.

Configure Azure Key Vault Secret

Pre-requisites

1. The Azure account being used as sidecar should ensure that option “Use as Sidecar” is selected. If this has not been enabled on the Azure account which is already onboarded to DSPM then follow the steps detailed for account update viz Azure Onboarding Version Upgrade.

   Ensure that step 3 is completed from the aforementioned section that will mark the Azure account as sidecar enabled.

2. The Azure Key Vault must be created in the in the Resource Group created by DSPM during the onboarding of the Azure account.

   The resource group for the Azure account is in the following format: normalyze-<Onboarding-id>-<Region>. The <Onboarding-id> for the account onboarded on DSPM can be captured from the Account Details section as shown in the screenshot below:

   

   Make note of the <Region> being selected, this will need to be passed on the DSPM platform while onboarding the Sharepoint / OneDrive / Teams application.

   Search for the Resource Group based on the aforementioned format to note the one to be used.

   

3. Copy and paste the details below with the values copied in Azure App registration section in the following format.

   {
   "client_id": "<copied Application (Client) ID>",
   "client_secret": "<copied Client Secret Value>",
   "tenant_id": "<copied Directory (Tenant) ID>"
   }

Add Azure App Credentials to Azure Key Vault Secret

1. Login to Azure Portal for the subscription which is enabled for sidecar use.

2. Search for Key Vault from the Azure search box and select “Key Vaults” from the result.

   

3. Select Create New from the Key Vaults section.

   

4. Search for the Resource Group pertaining for the Azure account’s onboarding id.

   

5. Provide a Name for the Key Vault, set the Region to the required one and the Pricing Tier to Standard respectively. Note the Region used in this step, it will be used later during the onboarding on DSPM platform.

   Select Next after configuring the above mentioned details.

   

6. Select Next on the Access Configuration section (no changes required in this section).
7. In the Networking section select “Selected Networks”.

8. Under “Virtual Networks” - pull the drop-down from “Add a Virtual Network” and select “Add existing virtual networks”.

   

9. From the right hand panel - Virtual Networks - search for “normalyze-saas” term.

   

10. Select the VNET with name “normalyze-saas-crawler-vnet” which is shown under the resource group “normalyze-<onboarding-id>-<region>” pertaining to the DSPM account for which the configuration is being done.

11. Once the VNET in previous step is selected - dropdown for the Subnets will get populated - check “Select All” from the list.

    

12. Do not select the option “Do not configure ‘Microsoft.KeyVault’ service endpoint(s) at this time” and select “Enable”.

    

13. After selecting “Enable” the option will change to “Add”. Select the “Add” option.

    

    

14. Scroll down to Exceptions - Select (check) “Allow trusted Microsoft services to bypass this firewall” option. Select Next.

    

15. In this section adding a Tag is optional. Select Next.
16. Review the configuration detail and once it is completed select “Create”. Wait for the creation task to complete.
17. Select the Key Vault created and from the left fireblade, select Settings - Networking.

18. Under Firewall - select the + icon besides Add your Client IP Address.

    

19. In the field under IP Address or CIDR, add the list of IP’s / CIDR that would be allowed to access the Key Vault in addition to the subnets added in the earlier steps.

    

20. Select Apply to persist the changes.

21. Select the Key Vault created and from the left fireblade, select “Access control (IAM)” and then “Role assignments” tab.

    

22. Click on “+ Add” drop-down and select “Add role assignment”.

    

23. Search for the “Key Vault Administrator” option and select it (it gets highlighted). Click on Next.

    

24. Under Members, click on “Select members” (marked 1 in the screenshot) and add the requisite user (same user who created the Key Vault) by selecting (marked 2 and 3 in the screenshot) and clicking Select (marked 4 in the screenshot) at the bottom.

    

25. Click on “Review + assign”. This will assign the selected user with the “Key Vault Administrator” role.

26. Select the Key Vault created in Step 9 and from the left fireblade - select “Secrets” and then select “Generate/Import”.

    

    

27. Enter the details for the respective fields as follows:

    Name - Provide the name for the Secret as per the naming convention used for other entities.

    Secret Value - Input the value which was saved in step 3 under pre-requisites section.Copy the entire value including the braces and input it in this field

    

28. Leave the rest of the values / options as default. Click on Create.

29. Once the Secret is created successfully, select it and Click on the value listed under column “Current Version”.

    

    

30. Copy the URL for the Secret Identifier column. This will be used as input for onboarding the SaaS from DSPM application.

    

Step 3. Onboard SharePoint / OneDrive / Teams to DSPM

The steps listed here need to be done for Microsoft Sharepoint , Microsoft OneDrive and Microsoft Teams respectively.

1. Go to DSPM UI to Onboard Microsoft SharePoint, OneDrive or Teams.

2. Select “SharePoint”, “OneDrive” or “Teams” based on the application to be onboarded

   

   

3. Provide the following details for the Sharepoint, OneDrive or Teams application.

   Account Nickname - Provide an identifiable name for this account. This will be the name displayed on the DSPM UI for the Sharepoint account, OneDrive account or Teams account.

   Microsoft 365 Domain - Domain url for the Sharepoint, OneDrive or Teams account which will be used to connect from DSPM.

   Environment Type - Select the appropriate option from the drop-down.

   Description - Additional detail for the account.

4. From the Use a Sidecar drop-down select the provider which will be used as sidecar viz AWS sidecar or Azure sidecar.

   

5. Provide details for the respective sidecar provider:

   • If Azure Sidecar is the option selected then provide the details as follows:

     - Azure Account ID: from the drop-down select the Azure account where the steps for Azure sidecar are configured.

     - Region: select the same Region (Step 5 under Azure sidecar section) where the Key Vault is created on the Azure subscription.

     - Key Vault Secret URL: paste the Secret url copied in Step 19 under Azure sidecar section

     

   • If AWS Sidecar is the option selected then paste the Secret ARN copied in Step 3 under AWS Secret Manager section into the “Secret ARN” field.

     It will populate the Account ID and the Region fields from the Secret ARN value which is input.

     

6. Click Next to finish Onboarding!