ZCSPM
Microsoft 365 Advanced Security Configuration Agent
You can create an Azure automation account to collect additional M365 metadata for advanced security configuration security polices offered by ZCSPM.
The Azure automation account will create an M365 control plane. This control plane will only be able to collect configuration metadata via PowerShell run using the global AD reader credentials.
ZCSPM does not store or have access to the global AD reader. The PowerShell script you deploy on your Azure account which will use the global AD reader permission to collect the configuration metadata and send it to ZCSPM.
To enable advanced security configurations:
- 1. Collect necessary information from ZCPSM, M365, and Azure.
- ZCSPM License ID
To find out your ZCSPM license ID:
- Log in to the ZCPSM Admin Portal as a License Admin.
- Go to Configurations >Features and Quotas.
- Copy the License ID.
- ZCSPM Account ID
To find out your ZCSPM account ID:
- Log in to the ZCPSM Admin Portal as a License Admin.
- Go to Configurations >Cloud Accounts.
- Copy the Account ID.
- ZCSPM API Key
To generate the ZCSPM API Key:
- Sign up at the ZCSPM API portal.
- From the top navigation bar, go to PRODUCTS > Unlimited.
- Under Customer-Api, click Subscribe.
- Zscaler will then activate your subscription and send you an email confirmation.
- After you receive the email confirmation, click on your Username on the top right corner.
- Select your profile and click Show next to the Primary key.
- Azure Active Directory ID
- Log in to the Azure Portal
- In the left-pane menu, click Azure Active Directory.
- Click Properties.
- Copy the Directory ID.
- Azure Subscription ID
- Log in to the Azure Portal as a Subscription Owner.
- Go to Subscriptions, then click your subscription.
- Copy the Subscription ID.
- ZCSPM Data Collector Application ID and Secret
To get the ZCSPM API application credentials:
- Log in to the Azure Portal
- In the left-pane menu, click Azure Active Directory.
- Select App registrations, then select the application you created in Onboarding a Microsoft 365 Account.
- Copy the Application (client) ID.
- In the left-pane menu, click Certificates & secrets, then click New client secret.
- Enter a Description and select an expiry time, then click Add.
- Copy the Client secret to the clipboard and store it. You need to submit this information at ZCSPM.
- ZCSPM Environment and IAM Data Collector Information
You need your ZCSPM environment and the following IAM Data Collector information:
- ZCSPM Azure IAM Data Collector Artifacts Storage Name
- ZCSPM Azure IAM Data Collector Artifacts Storage Access Key
- ZCSPM Azure IAM Data Collector Version
To collect the above mentioned information:
- Go to Configurations > Cloud Accounts.
- Choose your Azure cloud account.
- Click Configure Account, then click Onboarding Health Status.
- Click Download Artifact. This will download a JSON file which contains your ZCSPM environment information.
You will also need to submit your Microsoft 365 Domain and admin credentials. The credentials must have the SharePoint Administrator and Exchange Administrator permissions.
Make sure that the credentials you intend to use do not have MFA enabled. If you are using conditional access, exclude the Global AD reader.
- Create an M365 user with the SharePoint and Exchange Administrator permissions.
- Log in to the Microsoft 365 portal.
- Click Admin, then click M365 Admin center.
- Select Users, then click Add a user.
- Enter the user and product license details, then click Next.
- Under Common specialist roles, select Exchange administrator and SharePoint administrator.
- ZCSPM License ID
- 2. Provision the M365 data collector.
- Log in to the Azure Portal as a Subscription Owner.
- Go to Subscriptions, then click the subscription where you have set up the data collector.
- Click on the Cloud Shell icon.
- Choose PowerShell, then select your storage.
- Download the ZCSPM data collector provisioning script using the following command:
wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/Provision-M365DataCollector.ps1 -O Provision-M365DataCollector.ps1
- Install and verify the Az automation module by using the following commands:
Get-Module -Name Az.Automation -ListAvailable Install-Module -Name Az.Automation -RequiredVersion 1.4.2 Get-Module -Name Az.Automation -ListAvailable Import-Module -Name Az.Automation -RequiredVersion 1.4.2
- Run the provisioning script by using the following command:
./Provision-M365DataCollector.ps1 ` -ZCSPMLicenseId <zcsp-license-id>` -ZCSPMAccountId <zcspm-account-id>` -ZCSPMEnvironment <zcspm-environment>` -ZCSPMApplicationId <zcspm-application-id>` -ArtifactsName <artifacts-name>` -DataCollectorVersion <data-collector-version>` -OfficeDirectoryId <office-directory-id>` -OfficeDomain <office-domain>` -OfficeAdminEmailId <office-admin-email-id>` -AzureSubscriptionId <azure-subscription-id>` -SharePointAdminCenterURL <sharepoint-admin-center-url>` -Location <location>` -DataCollectorName <data-collector-name>
- You will then be prompted to enter the following information:
- ZCSPM API key
- ZCSPM Data Collector
- ZCSPM Office Application Secret
- ZCSPM Azure IAM data Collector Artifacts Name
- ZCSPM Office IAM data Collector Artifacts Storage Access Key
- Microsoft 365 password
- 3. Apply a delete lock on the data collector.
Apply a delete lock on the data collector in your Azure subscription to prevent anyone from accidentally deleting the data collector:
- Go to the M365 IAM Data collector's resoure group.
- Click Locks, then click Add.
- Enter the Lock Name.
- From the Lock Type drop-down menu, select the lock type as Delete.
- Enter Notes, then click OK.
- 4. Modify the data collection schedule.
You need to change the data collection schedule to match the ZCSPM's daily metadata collection time:
- Go to the M365 IAM Data collector's resoure group.
- Select Automation account then click Schedules.
- Change the schedule Time to one hour before the daily ZCPSM data collection time.
- Click Save.
You can upgrade the advanced security configuration data collector.
- Upgrade the data collector.
- Log in to the Azure Portal as a Subscription Owner.
- Go to Subscriptions, then click the subscription where you have set up the data collector.
- Click on the Cloud Shell icon.
- Choose PowerShell, then select your storage.
- Download the ZCSPM data collector update script using the following command:
wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/Upgrade-M365DataCollector.ps1 -O Upgrade-M365DataCollector.ps1
- Run the script by using the following command:
Close./Upgrade-M365DataCollector.ps1` -ArtifactsName <artifacts-name>` -DataCollectorVersion <data-collector-version>` -AzureSubscriptionId <azure-subscription-id>` -DataCollectorName <data-collector-name>` -SharePointAdminCenterURL <sharepoint-admin-center-url>` -ZCSPMApplicationId <zcspm-application-id>
If the ZCSPM API Key has expired, you can generate a new one at ZCSPM and update the data collector.
- 1. Regenerate ZCSPM API Key.
- Sign in to the ZCSPM API portal.
- Click your username on the top-right corner, then click Profile.
- Click Regenerate next to the primary key.
- Click Show to view and copy the new primary key.
- 2. Update the M365 data collector.
- Go to the M365 IAM Data collector's resoure group.
- Select the Automation account, then click Variables in the left-pan menu.
- Click ZCSPMAPIKey, then click Edit value.
- Paste the regenerated API Key in the Value text-box.
- Click Save.