icon-zcspm.svg
ZCSPM

Onboarding a Microsoft 365 Account

You can onboard your Microsoft M365 cloud account onto ZCSPM. Once onboarded, ZCSPM provides you with your account's security posture. ZCSPM runs your M365 cloud account deployment against all the security policies we offer. To view the security policies, see Microsoft 365 Security Policies. To onboard an M365 account with ZCSPM:

    • You need to be a ZCSPM License Admin to onboard an Azure cloud account onto ZCSPM.
    • You need to be a Global Administrator at Microsoft 365.
    • You need to be an Azure Global AD Administrator and a Subscription Owner to register the ZCSPM app and grant access permissions to ZCSPM.
    Close
  • You can create a new Azure app registration either manually or by running an automation script on the Cloud Shell. To register a new M365 app manually:

      1. Log in to the Azure Portal
      2. In the left-pane menu, click Azure Active Directory.
      3. Select App registrations, then click New Registration.
      4. Enter the Name and select Accounts in this organizational directory only button.
      5. Click Register.
      6. Copy the Application ID to the clipboard and store it. You need to submit this information at ZCSPM.
      7. In the left-pane menu, click Certificates & secrets, then click New client secret.
      8. Enter a Description and select an expiry time, then click Add.
      9. Copy the Client secret Value to the clipboard and store it. You need to submit this information at ZCSPM.

      You cannot copy the Client secret later. If you do not copy the Client secret now, you will have to create a new Client secret to submit at ZCSPM.

      Close
      1. Log in to the Azure Portal
      2. In the left-pane menu, click Azure Active Directory.
      3. Copy the Tenant ID and the Primary Domain to the clipboard and store it. You need to submit this information at ZCSPM.
      Close

    Alternatively, you can register a new Azure app by running a script on the Cloud Shell. The script registers a new Azure application and grant the application the subscription reader role.

      1. Ensure you have PowerShell version v5 or higher. Verify your PowerShell version using the following command:
      $PSVersionTable.PSVersion
      1. Ensure there are no restrictions on PowerShell to run the agent installation script. Remove restrictions on PowerShell using the following command:
      Set-ExecutionPolicy `
      -Scope Process `
      -ExecutionPolicy Bypass
          
      1. Download the PowerShell script files from ZCSPM Github.
      2. Install Azure modules by using the following command:
      Install-Module `
      -Name AzureAD `
      -MinimumVersion 2.0.0.131
          
      1. Open PowerShell as an administrator.
      2. Navigate to the directory where the script was downloaded.
      3. Run the following command to create a new Azure app registration:
      .\Create-ServicePrincipal-AzureOnboarding.ps1 `
      -azureActiveDirectoryId <active_directory_id> `
      -servicePrincipalName <data_collector_name> `
      -expirationPeriod 1year
      1. Enter the Global AD Administrator credentials.
      2. Copy the following information and store them:
        • Tenant Id
        • Domain Name
        • Application Id
        • Password Key

      In case you do not want to provide Microsoft Graph permissions, use the following command instead:

      .\Create-ServicePrincipal-AzureOnboarding.ps1 `
      -azureActiveDirectoryId <active_directory_id> `
      -servicePrincipalName <data_collector_name> `
      -expirationPeriod 1year
      -disableADPolicies
      Close
    Close
    1. Log in into ZCSPM as a License Admin.
    2. Click Activate License.
    3. Select Office 365, then click Continue.
    4. Select New Azure AD Tenant.
    5. Enter the following information:
      • Cloud Account Name
      • Domain Name
      • Office365 Directory Id
      • Office365 Application Id
      • Office365 Application Secret
    6. Click Add Account.
    Close

In addition to onboarding your Azure account on to ZCSPM, you can enable advanced security configurations for your Microsoft 365 account.

If you'd like to offboard your Microsoft 365 account, see Offboarding a Microsoft Azure Account.

Related Articles
Onboarding a Microsoft 365 AccountVerifying the Cloud Account Health Status for Microsoft 365Microsoft 365 Advanced Security Configuration AgentOffboarding a Microsoft 365