Microsoft Office 365 Connector

SaaS Detection and Response (SaaSDR) enables you to understand the compliance posture of your SaaS applications. For Office 365, you can validate your environment against CIS controls using SaaSDR.  

The Center for Internet Security (CIS) has published CIS benchmarks for O365 that can be validated using SaaSDR. Several of these controls can only be validated using PowerShell commands executed in your Azure environment. To accomplish this, you also need to install the PowerShell Module (PM) in your Azure environment as mentioned in the steps below. 

Prerequisites

1) Azure Cloud Shell: The instructions involve running an automation script that uses the Azure CLI. Please make sure you have the Global administrator that has access to the Azure Cloud Shell.

2) Service account: This account will be used for scanning purposes and should be configured as follows: 

• User must have the following permissions - 

             - Global Reader 

             - Privileged Role Administrator 

• Must have MFA disabled. This is required because not all PowerShell modules support alternate/modern way of authentication. If MFA is enabled, the controls related to the MSOL module will show the Error status.

3) An active paid subscription of Microsoft Azure to create a serverless deployment containing the following resources.

- Azure Function App

- Azure Storage Account

- Azure Key Vault

All these resources would be created in a separate Azure resource group for easy management.

4) You must have the following two users:

• User 1 with Global Reader and Privileged Role Administrator permissions. The MFA must be disabled for this user. This user scans the O365 domain.

• User 2 with Global Administrator permissions and an active paid subscription of Microsoft Azure.

Note: 'Privileged Role Admin' is a high severity role. Without Privileged Role Admin auto remediation job cannot be accessed. To enable the auto remediation job this role should be granted to the user.

Installation 

Follow these steps to create a Office 365 Connector:

1) Create Azure Resources

2) Create Connector in SaaSDR with Office 365 as application

Create Azure Resources

1) Download the qualys_azure_setup.zip file from the home landing page. This file contains the required code for the Azure functions that validate individual controls as well as the script to be executed (qualys_azure_installation.sh).

2) Login to portal.azure.com with global administrator and open the Azure Cloud shell by clicking on the  icon on top right side.

Note: If this is the first time you are opening the cloud shell on the Azure portal, then select Bash for the following prompt.

On the next step, select the appropriate Subscription and click Create storage button.

 

3) Once the bash terminal is open, type the df command and copy the storage account as shown below.

4) Paste the storage account copied from the above step in the Azure portal search box and click on the storage account found in search.

5) On the left panel click on the File shares option and then click on the listed file share as shown below.

6) On the left panel, click on the Browse option, then click Upload. Now click Browse for files and select the qualys_azure_setup.zip file from the file explorer to upload the file to cloud shell. 

7) Now again open the cloud shell, unzip the qualys_azure_setup.zip file by using the following commands as show in the screenshot.

~$ cd clouddrive

~$ unzip qualys_azure_setup.zip

8) Now run the qualys_azure_installation.sh file to start the installation using the following command as shown in the screenshot.

$sh qualys_azure_installation.sh

9) Enter the following details in the script prompt.

• O365 Domain name

• Service account 'User principal Name'

• Password for Service account

• Qualys platform you are using

10) On the next step, copy the subscription ID from the list for which you would like to create the connector.

11) From the list of the regions, choose an appropriate region to deploy the azure resources.

12) After all the resources are created, uploading of the functions will be initiated. This step will take about 10-15 minutes. Please do not stop this upload.

13) Once the functions are uploaded, the Application ID, Application Key, Function Name and Function Key are displayed on the console. These items can be used to create the connector on the SaaSDR configuration page.

Create Connector in SaaSDR with Office 365 as application

1) On the SaaSDR UI, go to Configuration > Connectors and click Create Connector.

2) On the Create Connector page, select Office 365 from the SaaS drop-down menu.

3) Provide the Application Id, Application Key, Function Name and Function Key received in the previous steps.

 

4) Click Create Connector.

You will be redirected to the login page of the application where you need to login using your administrator credentials (This user must be a Global Administrator to be able to Grant Access to newly created application). Once your connector is created, it is listed in the Configurations > Connectors list. Here you can check the status and other details of the connector.

That's it!

Once the application is connected, a scan is initiated to pull metadata from the application. This step may take some time to complete based on the number of resources to be catalogued in your application.