Skip to content

Configuring Microsoft 365 as a Provider

Integrating SailPoint Identity Risk with Microsoft 365 (previously Office 365) provides:

  • Access logs - such as which resource was accessed
  • Access outcomes such as was the access allowed or denied, and for what reason

Detailed user and target information such as name, email address, additional user role data and target names requires the Microsoft Entra ID provider configuration. Configuring both an Entra ID and Microsoft 365 provider delivers the most comprehensive view of users, targets and their activity across Microsoft 365, and other applications/resources provisioned through Entra ID.

Prerequisites

To get started, you will need the following:

Microsoft 365:

  • User with appropriate administrator privilege
  • Microsoft Entra ID license level of Microsoft Entra ID P1 or Microsoft Entra ID P2.
  • Tenant ID for your organization.
  • An App Registration Client ID and Client Secret.
  • API permissions.
  • Appropriate App Registration permissions assigned.

The Microsoft 365 provider configuration requires a minimum of one application registration, and optionally supports a second application registration to distribute load for enhanced scale and greater protection against API rate-limiting.

Note

Provider configuration with two application registrations is recommended for environments with greater than 5,000 users.

Create a New Microsoft 365 Provider in Identity Risk

  1. In Identity Risk select Settings, and select Providers.
  2. Select Microsoft 365.

  3. Enter a unique name for your provider.

    Create Microsoft 365 provider

  4. Leave the Configure Providers page open, you will return here to complete the configuration.

  5. In Microsoft Azure Portal select Overview.
  6. Verify the active license displays Microsoft Entra ID P1 or Microsoft Entra ID P2. For more information and feature comparison of Entra ID licensing tiers, see Feature comparison based on licenses.
  7. Locate the Tenant ID, copy the value.
  8. In Identity Risk, paste the Tenant ID value into Microsoft 365 Tenant ID field.
  9. In Microsoft Azure Portal select Applications > App registration.
  10. Select New registration.
  11. In Register an application, enter a name for your new registration.
  12. Under Supported account types, select Accounts in this organization directory only.
  13. Select Register.
  14. In the registered application, locate the Application (client) ID, copy the value.
  15. In Identity Risk, paste the Application (client) ID value into Microsoft 365 Client ID field.
  16. In Microsoft Azure Portal select Certificates & secrets.
  17. In Client secrets, select + New client secrets tab.
  18. In Add a client secret, enter a description and an expiration time, select Add.
  19. In the Client secrets column copy the Value of the client secret added.

  20. In Identity Risk, paste the Value into Microsoft 365 Client Secret field. The value field will only be visible immediately after creation.

    Note

    To add an additional application registration, refer to Additional App Registration Configuration

  21. In Identity Risk, select Providers > Microsoft 365 page, select an Microsoft 365 cloud instance. In addition to the global cloud, Microsoft also offers national cloud instances to meet the needs of national government entities.

    Select the appropriate cloud instance for your environment.

  22. To enable access to Microsoft 365 Management API and Microsoft Graph, apply API permissions. Refer to Application Permissions.

  23. In Identity Risk, select Create. The Microsoft 365 provider is created and you are directed to a success screen, after which you may return to Providers to view the status of your newly created provider.

    When the provider is successfully created, data is ingested, processed and correlated within Identity Risk. Data can then be viewed and explored through the Identity Map and Insights.

Application Permissions

To enable access to Microsoft 365 Management API and Microsoft Graph, apply the following API permissions to your application registration.

API Application Permissions
Office 365 Management APIs - ActivityFeed.Read
- ActivityFeed.Read.Dlp
Microsoft Graph - Application.Read.All
- User.Read.All

Note

Application permissions are the same for one and two application registrations.

To apply the permissions:

  1. In Microsoft Azure Portal select API Permissions.
  2. Select + Add a Permission
  3. In Request API permissions, select Office 365 Management APIs.
  4. In Office 365 Management APIs, select Application permissions.

  5. Search for each of the required permissions and select Add permissions.

    • ActivityFeed.Read
    • ActivityFeed.Read.Dlp

  6. In Request API permissions, select Microsoft Graph.

  7. In Microsoft Graph, select Application permissions.

  8. Search for each of the required permissions and select Add permissions.

    • Application.Read.All
    • User.Read.All

  9. Verify that all required permissions have been added.

  10. Select Grant admin consent for [your organization] to grant admin consent to the permissions configured for the application.

    Note

    Only administrators can perform this step.

  11. Select Yes. Once successfully authorized, the Admin consent required column will confirm the consent.

  12. In Identity Risk, complete the creation of the provider.

Additional App Registration Configuration

To configure the Microsoft 365 provider with an additional app registration:

  1. In the Microsoft Azure Portal, select Applications > App registration.
  2. Select New registration.
  3. In Register an application, enter a name for your new registration.
  4. Under Supported account types, select Accounts in this organization directory only.
  5. Select Register.
  6. In the registered application, locate the Application (client) ID, copy the value.
  7. In Identity Risk, paste the Application (client) ID value into Microsoft 365 Client ID for MetaData (Optional) field.
  8. In Microsoft Azure Portal select Certificates & secrets.
  9. In Client secrets, select + New client secrets tab.
  10. In Add a client secret, enter a description and an expiration time, select Add.
  11. In the Client secrets column copy the Value of the client secret added.

  12. In Identity Risk, paste the Value into Microsoft 365 Client Secret for MetaData field.

    Additional App Registration Provider Configuration)

  13. In Identity Risk, Providers > Microsoft 365 page, select an Microsoft 365 cloud instance. In addition to the global cloud, Microsoft also offers national cloud instances to meet the needs of national government entities.

    Select the appropriate cloud instance for your environment.

  14. To enable access to Microsoft 365 Management API and Microsoft Graph, apply API permissions. Refer to Application Permissions.

  15. Select Create. The Microsoft 365 provider is created and you are directed to a success screen, after which you may return to Providers to view the status of your newly created provider.

    When the provider is successfully created, data is ingested, processed and correlated within Identity Risk. Data can then be viewed and explored through the Identity Map and Insights.

Editing Providers

Provider configuration can be edited to allow for updates to the client secret when it is due to expire. Client secret expiration should be tracked and updated before the expiration date to avoid provider failure.

To edit a provider configuration:

  1. In Identity Risk, select Settings, and select Providers.
  2. Select Microsoft 365.
  3. In Enabled Integrations, select Show Details next to Microsoft 365.

  4. Select Edit to enter configuration for the provider.

    Modify Office 365 Provider

  5. Update the Microsoft 365 Client Secret.

  6. If you have configured an additional app registration, update the Microosft 365 Client Secret for MetaData.
  7. Select Save. The Microsoft 365 provider will establish connection using the updated client secret and continue to process data.

Deleting Providers

To remove an Microsoft 365 provider from Identity Risk:

  1. In the Microsoft Azure Portal, delete the client secret associated with the app registration. Once the client secret has been revoked in Entra ID, it will no longer be accessible to Identity Risk.
  2. In Identity Risk, select Settings > Providers.
  3. In Enabled Integrations, select Show Details next to Microsoft 365.
  4. Select Delete.

  5. Select Yes to confirm. The provider is deleted.

    Note

    Ingested historical data is still available. No new data is ingested.