This is the Microsoft 365 application suite.

The name must include only alphabetical characters, numbers, and the underscore character (_). Do not use spaces or any other special characters.

The Other Apps option includes any unsupported or partially supported applications such as Calendar, Dynamics365, Excel, Word, Planner, Sway, Stream, and Video.

The protection options vary depending on the applications you selected in the previous step, and will apply to those applications. You cannot select protection models for individual applications.

App Access	Available for all Microsoft 365 applications. Because file deletion and renaming functions in Microsoft 365 CAC require API calls, you must also choose API Access as a protection model for these functions to work properly. If you select only App Access without API Access: File upload blocking will upload empty (zero byte) files. Encrypted file names will not be given the .ccsecure extension. CAC policies that include folders and sites will not work because folders and sites are not synced. User-based CAC policies will not work because user sync does not occur. If these limitations are not critical in your organization, selection of API Access is optional.
API Access	Available for all Microsoft 365 applications. Must be also enabled if you enable App Access, Dynamic DRM, or Cloud Data Discovery.
Cloud Security Posture	Available for all Microsoft 365 applications. Select this model if you want to implement Cloud Security Posture Management (CSPM) functionality for this cloud. For more information about CSPN, see Cloud Security Posture Management.
Dynamic DRM	Available for all Microsoft 365 applications. Requires either API Access or App Access model to be enabled.
Email	Available if you selected Exchange as a Microsoft 365 application.
ActiveSync Device Management	Available if you selected ActiveSync as a Microsoft 365 application. Secure Cloud Access supports the ActiveSync protocol for mobile devices, allowing enterprises to apply controls for real-time sync and send activities for Office 365 email. Select the ActiveSync Device Management option to create and configure policies for sync and send actions related to Microsoft 365 emails on mobile devices. If you choose this protection model, make sure you have configured the Exchange client on your device. For instructions, see Configuring Microsoft Exchange account on your mobile device. Once the mobile device is registered, the unique ID (UUID) of the mobile device will be displayed in the Management Console. To verify, select Protect > Device Management > ActiveSync > User.
Cloud Data Discovery	Available for OneDrive and SharePoint applications. Select this model if you want to implement Cloud Data Discovery functionality for this application. Also requires API Access to be enabled.

The fields included depend on the protection models you selected.

• Proxy
  • The Custom HTTP Header Name and Custom HTTP Header Value fields are configured on the cloud level (as opposed to the cloud application level). If this is the first Microsoft 365 cloud application you are onboarding, the values you enter in these two fields will apply to all other Office 365 cloud applications you onboard. If this is not the first Microsoft 365 cloud application you are onboarding, these field values will be initialized from the first Microsoft 365 cloud you onboarded.
  • The remaining fields are configured for the cloud application you are onboarding. Enter values as needed.

  • Email Domain -- Enter the email domain used for signing into the app.

    For example, if a user signs in with user@example.com, then enter example.com.

  • Additional Domains - Optionally configure any additional domains for inspection. For example, you can configure shortened urls or any custom domains that represent app specific traffic.

  • Tenant Name Domain Prefix - To capture this value, Log in to O365, open Sharepoint, capture the domain prefix from the sharepoint.com url in the browser’s address bar.

    Example:

    If the Sharepoint url is https://example-my.sharepoint.com

    Domain prefix: example

• API Settings (required only for API Access protection) --
  • Internal Domains -- Enter one or more internal domains.
  • Content Collaboration Scan - Toggle is enabled by default. This setting enables events for File CheckIn/CheckOut to be processed. If this toggle is disabled, these events are not processed.
  • Message Aggregation - Select how to aggregate messages for DLP scanning.

• Archive Settings - Enables archiving of files that are either permanently deleted or replaced by Content Digital Rights policy actions. Archived files (including those for SharePoint and Teams) are placed in an Archive folder under a CASB Compliance Review folder created for the cloud application. You can then review the files and restore them if needed.

  Notes

  • If you onboard Microsoft Teams as an application, be sure that an Active Sync directory is created, because the Azure AD is the source of user information. To create a directory, select Administration > Enterprise Integration and select User Directory from the menu.

  • When you change the authorized administrator for a cloud account, if there is any previously archived content in the CASB Compliance Review folder that is owned by the previous administrator, you should share it with the new authorized administrator to enable them to review and restore archived data.

  The Archive Settings option is available for onboarded cloud applications with the API Access protection model.

  Two options are available:

  • Remove from Trash

  • Archive

  For Permanent Delete policy actions, both options are disabled by default; for Content Digital Rights, they are enabled by default.

  For OneDrive cloud applications, files for non-administrator user accounts are not removed from the Trash when the Remove from Trash flag is enabled.

  Click the toggles to enable or disable the settings. If you select the Archive action, you must also select the Remove from Trash option for archiving to be enabled.

  Enter the number of days for which to retain archived files. The default value is 30 days.

  Select the application to use for API onboarding. See Microsoft 365 API onboarding with Self-Managed OAuth Application for details.

• Authorization -- Authorize the components. You will need to provide your Microsoft 365 login credentials when prompted. Click the buttons as follows:
  • OneDrive and SharePoint -- Click each Authorize button. If you did not select either of these applications earlier, these buttons do not appear.
  • Office 365 - Clicking Authorize authorizes the Office 365 suite components you selected, except for OneDrive and SharePoint, which must be authorized separately. This authorization is for monitoring only.

If it is, click Next.

The onboarding is complete. The cloud application is added to the list on the App Management page.