You can onboard your Microsoft M365 cloud account onto ZCSPM. Once onboarded, ZCSPM provides you with your account's security posture. ZCSPM runs your M365 cloud account deployment against all the security policies we offer. To view the security policies, see Microsoft 365 Security Policies. To onboard an M365 account with ZCSPM:

• 1. Ensure the prerequisites are met.
  • You need to be a ZCSPM License Admin to onboard an Azure cloud account onto ZCSPM.
  • You need to be a Global Administrator at Microsoft 365.
  • You need to be an Azure Global AD Administrator and a Subscription Owner to register the ZCSPM app and grant access permissions to ZCSPM.

  Close
• 2. Create a New Azure App Registration.

  You can create a new Azure app registration either manually or by running an automation script on the Cloud Shell. To register a new M365 app manually:

  • a. Get the Application ID and Client Secret
    1. Log in to the Azure Portal
    2. In the left-pane menu, click Azure Active Directory.
    3. Select App registrations, then click New Registration.
    4. Enter the Name and select Accounts in this organizational directory only button.
    5. Click Register.
    6. Copy the Application ID to the clipboard and store it. You need to submit this information at ZCSPM.
    7. In the left-pane menu, click Certificates & secrets, then click New client secret.
    8. Enter a Description and select an expiry time, then click Add.
    9. Copy the Client secret Value to the clipboard and store it. You need to submit this information at ZCSPM.

    You cannot copy the Client secret later. If you do not copy the Client secret now, you will have to create a new Client secret to submit at ZCSPM.

    Close
  • b. Grant admin consent for Microsoft API permissions.
    1. Log in to the Azure Portal
    2. In the left-pane menu, click Azure Active Directory.
    3. Select App registrations, then select the ZCSPM application which you want to onboard.
    4. In the left-pane menu, click API permissions.
    5. Click Add a permission, then select Microsoft Graph.

    See image.

    

    Close

    6. Click Application permissions, then select the following permissions:
       • SecurityEvents.Read.All
       • DeviceManagementConfiguration.Read.All
       • Organization.Read.All
       • Application.Read.All
       • User.Read.All
       • DeviceManagementApps.Read.All
       • Policy.Read.All

    Make sure you are granting Application permissions and not Delegated permissions.

    See image.

    

    Close

    7. Click Add permissions.
    8. Click Grant admin consent for <your zcspm app>.

    Close
  • c. Get the Azure Tenant ID and Domain Name
    1. Log in to the Azure Portal
    2. In the left-pane menu, click Azure Active Directory.
    3. Copy the Tenant ID and the Primary Domain to the clipboard and store it. You need to submit this information at ZCSPM.

    Close

  Alternatively, you can register a new Azure app by running a script on the Cloud Shell. The script registers a new Azure application and grant the application the subscription reader role.

  • a. Run the registration script on the Cloud Shell
    1. Ensure you have PowerShell version v5 or higher. Verify your PowerShell version using the following command:

    $PSVersionTable.PSVersion

    2. Ensure there are no restrictions on PowerShell to run the agent installation script. Remove restrictions on PowerShell using the following command:

    Set-ExecutionPolicy `
    -Scope Process `
    -ExecutionPolicy Bypass
        

    3. Download the PowerShell script files from ZCSPM Github.
    4. Install Azure modules by using the following command:

    Install-Module `
    -Name AzureAD `
    -MinimumVersion 2.0.0.131
        

    5. Open PowerShell as an administrator.
    6. Navigate to the directory where the script was downloaded.
    7. Run the following command to create a new Azure app registration:

    .\Create-ServicePrincipal-AzureOnboarding.ps1 `
    -azureActiveDirectoryId <active_directory_id> `
    -servicePrincipalName <data_collector_name> `
    -expirationPeriod 1year

    9. Enter the Global AD Administrator credentials.
    10. Copy the following information and store them:
        • Tenant Id
        • Domain Name
        • Application Id
        • Password Key

    In case you do not want to provide Microsoft Graph permissions, use the following command instead:

    .\Create-ServicePrincipal-AzureOnboarding.ps1 `
    -azureActiveDirectoryId <active_directory_id> `
    -servicePrincipalName <data_collector_name> `
    -expirationPeriod 1year
    -disableADPolicies

    Close
  • b. Grant admin consent for Microsoft API permissions.
    1. Log in to the Azure Portal
    2. In the left-pane menu, click Azure Active Directory.
    3. Select App registrations, then select the ZCSPM application which you want to offboard.
    4. In the left-pane menu, click API permissions.
    5. Click Add a permission, then select Microsoft Graph.

    See image.

    

    Close

    Make sure you are granting Application permissions and not Delegated permissions.

    6. Click Application permissions, then select the following permissions:
       • SecurityEvents.Read.All
       • DeviceManagementConfiguration.Read.All
       • Organization.Read.All
       • Application.Read.All
       • User.Read.All
       • DeviceManagementApps.Read.All

    See image.

    

    Close

    7. Click Add permissions.
    8. Click Grant admin consent for <your zcspm app>.

    Close

  Close
• 3. Add your Microsoft 365 subscription on ZCSPM.
  1. Log in into ZCSPM as a License Admin.
  2. Click Activate License.
  3. Select Office 365, then click Continue.
  4. Select New Azure AD Tenant.
  5. Enter the following information:
     • Cloud Account Name
     • Domain Name
     • Office365 Directory Id
     • Office365 Application Id
     • Office365 Application Secret
  6. Click Add Account.

  Close

In addition to onboarding your Azure account on to ZCSPM, you can enable advanced security configurations for your Microsoft 365 account.

If you'd like to offboard your Microsoft 365 account, see Offboarding a Microsoft Azure Account.