How to Configure Microsoft 365 for Netskope Security Posture Management

Summary: Learn how to configure Netskope Security Posture management for Microsoft 365 by following these step-by-step instructions.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Microsoft 365 is a dynamic environment and must be continuously monitored for misconfigurations and vulnerabilities. With Netskope, you can get a clear understanding of your software as a service (SaaS) security posture. Administrators can see how the environment is performing against standards and best practices like Center for Internet Security (CIS) benchmarks.

Affected Products:

  • Netskope
  • Microsoft 365

Affected Versions:

  • Netskope Release 86 and higher

Microsoft 365 is a cloud-based service that brings together best-in-class productivity apps from Office 365 with advanced device management, intelligent security, and innovative online services. If violations are found, items are identified as critical, high, medium, or low. With a simple way to monitor and report on the security of the Microsoft 365 environment, administrators can run a report for auditors. Administrators can then quickly remediate and address gaps that were found using recommended guidance.

An administrator may Configure a Microsoft 365 Instance for Security Posture or Configure Microsoft 365 Security Posture Policy. For more information, click the appropriate process.

These installation instructions describe how to integrate your Microsoft 365 account with Netskope. There are four processes that are involved:

  1. Configure SharePoint Tenant to Allow Custom App Authentication
  2. Grant Access to Microsoft 365 Account
  3. Add Azure AD Roles
  4. Add SharePoint Admin Permissions for the SharePoint Client-side Object Model (CSOM) API

For more information, click the appropriate process.

Note: Netskope requires a minimum set of Microsoft 365 licenses to scan through your Microsoft 365 environment. The following licenses are supported:
  • Microsoft 365 A3, A5
  • Microsoft 365 E3, E5
  • Microsoft 365 F1, F3

Netskope can support other Microsoft 365 licenses too if additional licenses are obtained for Microsoft Intune and Azure Active Directory Premium P1 edition.

Configure SharePoint Tenant to Allow Custom App Authentication

If you are setting up the Microsoft 365 instance for the first time on a new Microsoft 365 account, enabling custom app authentication for your SharePoint tenant may be required. Microsoft disables apps using an Azure Access Control (ACS) app-only access token by default.

Note: The following steps are performed on a Windows device.
  1. Install the latest version of PowerShell on a Windows computer.
Note: For how to get the latest version of PowerShell, reference Installing Powershell on Windows (https://docs.microsoft.com/powershell/scripting/install/installing-powershell-core-on-windows?view=powershell-7 This hyperlink is taking you to a website outside of Dell Technologies.).
  1. Right-click the Windows start button and then select Run.

Run

  1. In the Run UI, type powershell and then press CTRL+SHIFT+ENTER. This runs PowerShell as an administrator.

Running the command in the Run UI

  1. Type Install-Module -Name Microsoft.Online.Sharepoint.PowerShell and press Enter.

Installing module

  1. If you are warned about an untrusted repository ("You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?"), type Y and then press Enter to install the module. Otherwise, go to Step 6.

Untrusted repository warning

  1. Once PowerShell completes the package install, there is a blinking cursor line. Type $adminUPN=”[GLOBALADMINUPN]” and then press Enter.

Typing the admin UPN

Note:
  • [GLOBALADMINUPN] = the full UPN of the global administrator account
  • For example: admin@testdomain.onmicrosoft.com
  1. Type $orgName="[365DOMAINNAME]” and then press Enter.

Typing the org name

Note:
  • [365DOMAINNAME] = the name of your Microsoft 365 organization
  • For example: testdomain
  1. Type $userCredential=Get-Credential -UserName $adminUPN -Message "Type the password” and then press Enter.

Typing user credentials

  1. When prompted with the Windows PowerShell credential request dialog box, type the password for the global administrator account you entered in Step 6.

Typing the password

  1. Type Connect-SPOService -Url https://$orgName-admin.sharepoint.com and then press Enter.

Connecting SharePoint Online service

  1. You may be prompted to sign into your account. If prompted, provide your global administrator login information. If not, go to Step 12.

Microsoft sign in screen

  1. Once logged in, from the empty PowerShell command prompt, type Get-SPOTenant and then press Enter.

Typing Get SharePoint Online tenant

  1. Locate the DisableCustomAppAuthentication parameter. If it is set to True, go to Step 14. If it is set to False, go to Grant Access to the Microsoft 365 Account.

Locating the DisableCustomAppAuthentication parameter in PowerShell

Note: If you do not see the DisableCustomAppAuthentication parameter, Type Install-Module -Name Microsoft.Online.Sharepoint.PowerShell -Force command and then return to Step 2.
  1. Type Set-SPOTenant -DisableCustomAppAuthentication $false and then press Enter.

Typing Set SharePoint Online tenant

  1. Type Get-SPOTenant and then confirm DisableCustomAppAuthentication is now set to False.

Confirming the DisableCustomAppAuthentication parameter is false in PowerShell

Grant Access to Microsoft 365 Account

Caution: A Microsoft Secure Score must be generated to successfully grant access to the Microsoft 365 account. If you have newly set up your Microsoft 365 account, it can take 2 to 4 days to generate the Microsoft Secure Score report for your Microsoft 365 account. Netskope SSPM incorporates data from Microsoft Secure Score and requires the secure score report to be generated. If you do not see any data populated in the Netskope UI dashboard (API Data Protection > COMPLIANCE > Security Posture), wait until the Microsoft Secure Score report is generated. You can view the Microsoft Secure Score on your Azure portal under Azure AD Identity Secure Score.
  1. In a web browser, go to the Netskope web console:
    • United States Datacenter: https://[TENANT].goskope.com/
    • European Union Datacenter: https://[TENANT].eu.goskope.com/
    • Frankfurt Datacenter: https://[TENANT].de.goskope.com/
Note: [TENANT] = The tenant name in your environment
  1. Log in to the Netskope web console.

Netskope web console log in

  1. Click Settings.

Settings

  1. Click API-enabled Protection.

API-enabled Protection

  1. Click SaaS.

SaaS

  1. Click the Microsoft 365 icon.

Microsoft 365

  1. Click Setup Instance.

Setup Instance

  1. From the Setup Instance prompt:
    1. Populate the Instance Name.
    2. Select Security Posture for an Instance Type.
    3. Select a time interval for the policy to run.
    4. Click Save.

Setup Instance prompt

Note:
  • The Instance Name should be the fully qualified domain name (FQDN) of your Microsoft 365 account. For example, if you use https://domain.sharepoint.com to log in to Microsoft 365, then domain.sharepoint.com is the Instance Name.
  • To find the FQDN of your Microsoft 365 account, log in to your Microsoft 365 account. From there, click the launch icon, click the SharePoint app, and then copy the FQDN text. Remove the https://, the slash at the end of the FQDN path, and anything trailing after that slash.
  • If Security Posture is unavailable or disabled, contact Dell Support for assistance in enabling this feature. For more information, reference How to Get Support for Netskope.
  1. From the SaaS Microsoft 365 instance, click Grant Access for the newly created app instance.

Grant Access

  1. Log in with your global administrator username and password.
  2. Accept the permissions for Netskope Security Assessment.

Accept permissions

  1. Click Close.

Close

Note: The Microsoft 365 app instance now uses the new Graph APIs from Microsoft.
  1. Refresh your browser and confirm that there is a green check icon next to the instance name.

Green check icon

Add Azure AD Roles

Once you have granted access to the Microsoft 365 app, you should assign the Netskope application client ID to the Global Reader role.

  1. In a web browser, go to https://portal.azure.comThis hyperlink is taking you to a website outside of Dell Technologies..
  2. Log in as a global administrator.

Microsoft Azure Sign In

  1. From Manage Azure Active Directory, click View.

View Manage Azure Active Directory

  1. From the left navigation pane, click Roles and administrators.

Roles and administrators

  1. Search for the Global Reader role.

Search for Global Reader

  1. Click the Global Reader role.

Selecting the Global Reader role

  1. Click + Add assignments in the upper left.

Add assignments

  1. From the Add assignments panel on the right, search for Netskope application client ID 2038fb3d-092b-4c35-9ae6-3f10adb04a6a.

Searching for Netskope application client ID

  1. Select the Netskope Security Assessment app and then click Add.

Selecting Netskope Security Assessment

Add SharePoint Admin Permissions for the SharePoint Client-side Object Model (CSOM) API

  1. In a web browser, go to https://[TENANT]-admin.sharepoint.com/_layouts/15/appinv.aspx.
Note: [TENANT] = Your company’s SharePoint domain name
  1. Log in with your Global Administrator Account.
  2. In the App Id, populate 2038fb3d-092b-4c35-9ae6-3f10adb04a6a and then click Lookup.
Note: The title field is populated with Netskope Security Assessment automatically upon clicking Lookup with the App Id populated.

Lookup

  1. In the App Domain, populate netskope.com.

App Domain

  1. Under Permission Request XML, populate the following XML code:
<AppPermissionRequests
AllowAppOnlyPolicy="true"><AppPermissionRequest
Scope="http://sharepoint/content/tenant"
Right="FullControl" /></AppPermissionRequests>

Permission Request XML

  1. Click Create.

Create button

  1. Review the permissions and then click Trust It.

Reviewing permissions and clicking Trust It

Note: This creates the app permissions necessary for the Netskope Security Assessment app to access the SharePoint CSOM APIs.
  1. In a web browser, go to the Netskope web console:
    • United States Datacenter: https://[TENANT].goskope.com/
    • European Union Datacenter: https://[TENANT].eu.goskope.com/
    • Frankfurt Datacenter: https://[TENANT].de.goskope.com/
Note: [TENANT] = The tenant name in your environment
  1. Log in to the Netskope web console.

Netskope web console

  1. Click Policies.

Policies

  1. In Policies, click Security Posture.

Security Posture

Note: The Security Posture page displays a list of policies that are configured for the SaaS apps.

The fields are:

  • Policy Name: Name of the policy.
  • Instance: Name of the instance for which the policy is defined.
  • Profile: List of profiles associated with the policy.
  • Last Edit: Time stamp of the last edited policy.

You can edit, revert, disable, clone, and delete a policy. Click the More Options icon (...) to the right of the policy entry and select one of the following options:

  • Edit: On selecting this option, you can edit the policy.
  • Disable: On selecting this option, Netskope disables the policy and stops the scan for the policy.
  • Clone: On selecting the option, Netskope creates a duplicate copy of the policy.
  • Delete: On selecting this option, Netskope deletes the policy.

In the policies table, you can select multiple policies and perform the following tasks:

  • Disable: On selecting this option, Netskope disables the policy and stops the scan for the policy.
  • Revert: On selecting this option, Netskope reverts the policy to its last applied change.
  • Delete: On selecting this option, Netskope deletes the policy.

If you delete a policy, scanning stops at the next scan interval. The existing scan continues to run until it finishes.

  1. Click New Policy to create a Security Posture policy.

New Policy button
New Security Posture policy

  1. From the New Security Posture Policy page, click Instances and then select Microsoft 365.

Selecting an instance

Note: By default, Instance = All is selected. If you only want to create a policy for a particular Microsoft 365 instance in your environment, click in the Instance = All box and then click the checkbox on the specific instance you want to analyze.
  1. In Profile & Action, click Profile and then select a Profile assessment.

Selecting a profile

  1. Optionally, select a different Action.

Selecting a different action

Note: Clicking Show Rules displays which rules are applied to the selected profile.
  1. Populate a Policy Name.

Policy Name

Note: Policy name cannot contain the following characters: ' " ! @ # $ % ^ & * ( ) { } \ / ; ? = + . , : |
  1. Optionally, click +POLICY DESCRIPTION and then populate a policy description.

Policy Description

  1. Optionally, click +EMAIL NOTIFICATION to configure email notification alerts for the policy.

Email Notification

  1. By default, the Status is set to Disabled. Click the slider to set the policy to Enabled.

Enabling status

  1. Click Save in the upper right.

Save

  1. From the Security Posture page, click Apply Changes to begin enforcement of the newly created policy.

Apply Changes

  1. Populate a note about the changes being applied, and then click Apply.

Populating a note

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Netskope
Article Properties
Article Number: 000189369
Article Type: How To
Last Modified: 16 Feb 2024
Version:  6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.