Enable Cloud Access Security Broker Protection for Microsoft 365 Tenants
Secure Access supports two Cloud Access Security Broker (CASB) features for Microsoft 365:
- Cloud Malware protection for OneDrive, SharePoint Online, and Outlook sites within your Microsoft 365 deployment.
Note on running both Microsoft 365 and Cloud Malware: Microsoft 365 and Cloud Malware both protect users against malware. However, their functionalities are not redundant. Microsoft 365 might discover malware that Cloud Malware does not find. Cloud Malware also finds malware that Microsoft 365 overlooks. There is value to running Microsoft 365 and Cloud Malware simultaneously.
- CASB detection of third-party cloud applications that have been granted OAuth-based permission to access a user's protected resources on Microsoft 365 Sharepoint Online and OneDrive. For more information, see Third-Party Apps Report.
You can enable CASB features for authorized tenants that use the following Microsoft 365 applications:
- Sharepoint Online
- OneDrive
- Outlook (For Cloud Malware protection only and for the primary inbox only. For outgoing mail you can enable Data Loss Prevention; see Enable SaaS API Data Loss Prevention for Microsoft 365 Tenants.)
Note: You cannot add an application to an existing tenant. If you have an existing Microsoft 365 tenant that uses one or two of these applications and you wish to add another application to that tenant, you must first revoke authorization for the existing tenant, then create a new tenant using all the desired applications.
Table of Contents
Prerequisites
- Full Admin user role. For more information, see Manage Accounts.
- Chrome or Firefox (recommended) with pop-up blockers and ad blockers disabled (only for the duration of authorization)
- The user performing the installation must use a service account with a Microsoft 365 Global Admin and active license
- Audit log must be enabled for Microsoft 365. For more information, refer to Microsoft Technical documentation and search for Turn auditing on or off.
- Sharepoint Online and OneDrive must be enabled for the organization.
- The following IP addresses must be allowed if there are Firewall rules that prevent third-party applications:
- 146.112.161.0/24
- 146.112.163.0/24
- 146.112.165.0/24
- 146.112.167.0/24
- Users must have the following API permissions for Microsoft:
API/ Permissions Name | Type | Description | Admin Consent Required |
---|---|---|---|
Microsoft Graph | |||
1. Directory.AccessAsUser.All | Delegated | Access directory as the signed-in user | Yes |
2. Directory.Read.All | Application | Read directory data | Yes |
3. Files.Read.All | Delegated | Read all files that user can access | No |
4. Files.Read.All | Application | Read files in all site collections | Yes |
5. Sites.Read.All | Delegated | Read items in all site collections | No |
6. User.Read | Delegated | Sign in and read user profile | No |
7. User.Read.All | Application | Read all users' full profiles | Yes |
Microsoft 365 Management APIs | |||
1. AcitivityFeed.Read | Application | Read activity data for the Organization | Yes |
SharePoint | |||
1. Site.FullControl.All | Application | Full control of all site collections | Yes |
2. User.Read.All | Application | Read user profiles | Yes |
Limitations
- A tenant the fails to authenticate cannot be deleted.
- Secure Access Cloud Malware attempts to quarantine a file will fail if that file has been locked by Microsoft 365. This may occur if Microsoft 365 Advanced Threat Protection (ATP) has detected malware in the file. In such a case, the lock placed by ATP take precedence over Umbrella's ability to detect or remediate DLP violations in malware.
Authorize a Tenant
- Navigate to Admin > Authentication.
- Click to expand Microsoft 365 in the list of Platforms.
- Click Authorize New Tenant in the Cloud Access Security Broker subsection to add a Microsoft 365 tenant to your Secure Access environment.

- Check the boxes to confirm that you meet all three Authentication Requirements in the Microsoft 365 Authorization Prerequisites dialog, then click Next.

- Create a name for your tenant, then click Next.
- Select one or both Cloud Access Security Broker (CASB) features to authenticate: Cloud Malware and Third-Party Apps.

If you choose to authorize for Cloud Malware protection, you must also select a Response Action for Umbrella to apply to Microsoft 365 files found with malware.
- Choose Monitor to cause Umbrella to log files detected with malware. You will be able to manually quarantine these files from the Cloud Malware report.
- Choose Quarantine to:
- Move the file into a folder named Cisco_Quarantine_Malware in the root path of the admin who authorized the tenant, remove all collaborators, and change the file owner to the Microsoft 365 admin.
- Replace the file in its original location with a text file named filename.ppt_Cisco_Quarantined.txt explaining to the original file owner that the file is identified as malware and for more information to contact their organization administrator.
Note: If you choose Quarantine this will apply only to rules applied to Sharepoint and OneDrive; Secure Access Cloud Malware supports monitoring Outlook messages in the primary inbox, but cannot quarantine them.
For more information on Cloud Malware monitoring and quarantine features, see Manage Cloud Malware Protection. For more information on Third-Party Apps detection features, see Third-Party Apps Report.
After making your selections, click Next.
- At the Integration step, click Next.
![]()
You are redirected to the Microsoft 365 login page.
- Log into Microsoft 365 with admin credentials to authorize your Microsoft 365 account as a Secure Access CASB.

You are redirected to Secure Access, which displays a message when the authorization is complete. It can take up to 24 hours for the CASB integration status in Secure Access to show that authorization is complete.
- Click Done to complete.
Edit a Tenant
You can change the protection type or Response Action you have selected for a tenant.
- Navigate to Admin > Authentication.
- Click to expand Microsoft 365 in the list of Platforms.
- In the Cloud Access Security Broker subsection , from the Edit column, click Edit. You can edit any tenant.

- Choose to authorize your Microsoft 365 tenant for Cloud Malware protection, or detection of third-party cloud applications, or both.
![]()
If you choose to authorize for Cloud Malware protection, you must also select a Response Action for Umbrella to apply to Microsoft 365 files found with malware.
- Choose Monitor to cause Umbrella to log files detected with malware. You will be able to manually quarantine these files from the Cloud Malware report.
- Choose Quarantine to:
- Move the file into a folder named Cisco_Quarantine_Malware in the root path of the admin who authorized the tenant, remove all collaborators, and change the file owner to the Microsoft 365 admin.
- Replace the file in its original location with a text file named filename.ppt_Cisco_Quarantined.txt explaining to the original file owner that the file is identified as malware and for more information to contact their organization administrator.
Note: If you choose Quarantine this will apply only to rules applied to Sharepoint and OneDrive; Secure Access supports monitoring outgoing Outlook messages, but cannot quarantine them.
For more information on Cloud Malware monitoring and quarantine features, see Manage Cloud Malware Protection. For more information on Third-Party Apps detection features, see Third-Party Apps Report.
- Click Next.
- The new Response Action is displayed.
![]()
Note: For tenants authorized only for CASB detection of third-party applications, no Response Action is shown.
Revoke Authorization
- Under Action, click Revoke. You can revoke any authorized tenant.

- Confirm to proceed. The selected account is not authorized.

Enable Cloud Malware Protection for Google Drive < Enable Cloud Access Security Broker Protection for Microsoft 365 Tenants > Enable Cloud Malware Protection for ServiceNow Tenants
Updated 11 days ago