Enable Cloud Malware Protection for Microsoft 365 Tenants

Secure Access supports Cloud Malware protection for both OneDrive and SharePoint sites within your Microsoft 365 deployment.

Note on running both MS365 and Cloud Malware: MS365 and Cloud Malware both protect users against malware. However, their functionalities are not redundant. MS365 might discover malware that Cloud Malware does not find. Cloud Malware also finds malware that MS365 overlooks. There is value to running MS365 and Cloud Malware simultaneously.

Table of Contents


  • Full Admin user role. For more information, see Manage Accounts.
  • Chrome or Firefox (recommended) with pop-up blockers and ad blockers disabled (only for the duration of authorization)
  • The user performing the installation must use a service account with a Microsoft 365 Global Admin and active license
  • Audit log must be enabled for Microsoft 365. For more information, refer to Microsoft Technical documentation and search for Turn auditing on or off.
  • SharePoint Online and OneDrive must be enabled
  • The following IP addresses must be allowed if there are Firewall rules that prevent third-party applications:,,,,
  • Users must have the following API permissions for Microsoft:
API/ Permissions NameTypeDescriptionAdmin Consent Required
Microsoft Graph
1. Directory.AccessAsUser.AllDelegatedAccess directory as the signed-in userYes
2. Directory.Read.AllApplicationRead directory dataYes
3. Files.Read.AllDelegatedRead all files that user can accessNo
4. Files.Read.AllApplicationRead files in all site collectionsYes
5. Sites.Read.AllDelegatedRead items in all site collectionsNo
6. User.ReadDelegatedSign in and read user profileNo
7. User.Read.AllApplicationRead all users' full profilesYes
Microsoft 365 Management APIs
1. AcitivityFeed.ReadApplicationRead activity data for the OrganizationYes
1. Site.FullControl.AllApplicationFull control of all site collectionsYes
2. User.Read.AllApplicationRead user profilesYes

Authorize a Tenant

  1. Navigate to Admin > Authentication.
  1. Under Platforms, click Microsoft 365.
  1. Click Authorize New Tenant in the Cloud Malware subsection to add a Microsoft 365 tenant to your Secure Access environment.
  2. In the Microsoft 365 Authorization dialog, check the checkboxes to verify you meet the prerequisites, then click Next.
  1. Provide a name for your tenant, then click Next.
  1. Click Next to be redirected to the Microsoft 365 login page.
  2. Log in to Microsoft 365 with admin credentials to grant access.

You are redirected to Secure Access and a message appears showing the integration was successful. It may be up to 24 hours for the integration to be confirmed and appear as Authorized.

  1. Click Done to complete.

Revoke Authorization

  1. Under Action, click Revoke. You can revoke any authorized tenant.
  1. Confirm to proceed. The selected account is not authorized.

Enable Cloud Malware Protection for Box Tenants < Enable Cloud DLP Protection for Microsoft 365 Tenants > Enable Cloud Malware Protection for Webex Teams Tenants