Enable SaaS API Data Loss Protection for Microsoft 365 Tenants

Table of Contents


  • Chrome or Firefox (recommended) with pop-up blockers and ad blockers disabled (only for the duration of authorization)
  • The user performing the installation must use a service account with a Microsoft 365 Global Admin and active license
  • SharePoint Online and OneDrive must be enabled
  • Audit log must be enabled for Microsoft 365. For more information, refer to Microsoft technical documentation and search for Turn auditing on or off.
  • The following IP addresses must be allowed if there are Firewall rules that prevent third-party applications:
  • Users must have the following API permissions for Microsoft:
API/ Permissions NameTypeDescriptionAdmin Consent Required
Microsoft Graph
Directory.AccessAsUser.AllDelegatedAccess directory as the signed-in userYes
Directory.Read.AllApplicationRead directory dataYes
Files.Read.AllDelegatedRead all files that user can accessNo
Files.Read.AllApplicationRead files in all site collectionsYes
Sites.Read.AllDelegatedRead items in all site collectionsNo
User.ReadDelegatedSign in and read user profileNo
User.Read.AllApplicationRead all users' full profilesYes
Microsoft 365 Management APIs
ActivityFeed.ReadApplicationRead activity data for the OrganizationYes
Site.FullControl.AllApplicationFull control of all site collectionsYes
User.Read.AllApplicationRead user profilesYes

Authorize a Tenant

  1. Navigate to Admin > Authentication.
  2. Under Platforms, click Microsoft 365.
  1. Click Authorize New Tenant in the DLP subsection to add a Microsoft 365 tenant to your Secure Access environment.
  2. In the Microsoft 365 Authorization dialog, check the checkboxes to verify you meet the prerequisites, then click Next.
  1. Provide a name for your tenant, then click Next.
  1. Click Next to be redirected to the Microsoft 365 login page.
  2. Log in to Microsoft 365 with admin credentials to grant access.

You are redirected to Secure Access and a message appears showing the integration was successful.

  1. Click Done to complete.

Revoke Authorization

  1. Under Action, click Revoke. You can revoke any authorized tenant.
  1. Confirm to proceed. The selected account is not authorized.

Enable SaaS API Data Loss Protection for Webex Teams Tenants < Enable SaaS API Data Loss Protection for Microsoft 365 Tenants > Enable SaaS API Data Loss Protection for Dropbox Tenants