icon-zcspm.svg
ZCSPM

Microsoft 365 Advanced Security Configuration Agent

You can create an Azure automation account to collect additional M365 metadata for advanced security configuration security polices offered by ZCSPM.

The Azure automation account will create an M365 control plane. This control plane will only be able to collect configuration metadata via PowerShell run using the global AD reader credentials.

ZCSPM does not store or have access to the global AD reader. The PowerShell script you deploy on your Azure account which will use the global AD reader permission to collect the configuration metadata and send it to ZCSPM.

To enable advanced security configurations:

    • To find out your ZCSPM license ID:

      1. Log in to the ZCPSM Admin Portal as a License Admin.
      2. Go to Configurations >Features and Quotas.
      3. Copy the License ID.
      Close
    • To find out your ZCSPM account ID:

      1. Log in to the ZCPSM Admin Portal as a License Admin.
      2. Go to Configurations >Cloud Accounts.
      3. Copy the Account ID.
      Close
    • To generate the ZCSPM API Key:

      1. Sign up at the ZCSPM API portal.
      2. From the top navigation bar, go to PRODUCTS > Unlimited.
      3. Under Customer-Api, click Subscribe.
      4. Zscaler will then activate your subscription and send you an email confirmation.
      5. After you receive the email confirmation, click on your Username on the top right corner.
      6. Select your profile and click Show next to the Primary key.
      Close
      1. Log in to the Azure Portal
      2. In the left-pane menu, click Azure Active Directory.
      3. Click Properties.
      4. Copy the Directory ID.
      Close
      1. Log in to the Azure Portal as a Subscription Owner.
      2. Go to Subscriptions, then click your subscription.
      3. Copy the Subscription ID.
      Close
    • To get the ZCSPM API application credentials:

      1. Log in to the Azure Portal
      2. In the left-pane menu, click Azure Active Directory.
      3. Select App registrations, then select the application you created in Onboarding a Microsoft 365 Account.
      4. Copy the Application (client) ID.
      5. In the left-pane menu, click Certificates & secrets, then click New client secret.
      6. Enter a Description and select an expiry time, then click Add.
      7. Copy the Client secret to the clipboard and store it. You need to submit this information at ZCSPM.

      Close
    • You need your ZCSPM environment and the following IAM Data Collector information:

      • ZCSPM Azure IAM Data Collector Artifacts Storage Name
      • ZCSPM Azure IAM Data Collector Artifacts Storage Access Key
      • ZCSPM Azure IAM Data Collector Version

      To collect the above mentioned information:

      1. Go to Configurations > Cloud Accounts.
      2. Choose your Azure cloud account.
      3. Click Configure Account, then click Onboarding Health Status.
      4. Click Download Artifact. This will download a JSON file which contains your ZCSPM environment information.
      Close

    You will also need to submit your Microsoft 365 Domain and admin credentials. The credentials must have the SharePoint Administrator and Exchange Administrator permissions.

    Make sure that the credentials you intend to use do not have MFA enabled. If you are using conditional access, exclude the Global AD reader.

    Close
    1. Log in to the Azure Portal as a Subscription Owner.
    2. Go to Subscriptions, then click the subscription where you have set up the data collector.
    3. Click on the Cloud Shell icon.
    4. Choose PowerShell, then select your storage.
    5. Download the ZCSPM data collector provisioning script using the following command:
    wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/Provision-M365DataCollector.ps1 -O Provision-M365DataCollector.ps1
    
    1. Install and verify the Az automation module by using the following commands:
    Get-Module -Name Az.Automation -ListAvailable
    
    Install-Module -Name Az.Automation -RequiredVersion 1.4.2
    
    Get-Module -Name Az.Automation -ListAvailable
    
    Import-Module -Name Az.Automation -RequiredVersion 1.4.2
        
    1. Run the provisioning script by using the following command:
    ./Provision-M365DataCollector.ps1 `
                -ZCSPMLicenseId <zcsp-license-id>`
                -ZCSPMAccountId <zcspm-account-id>`
                -ZCSPMEnvironment <zcspm-environment>`
                -ZCSPMApplicationId <zcspm-application-id>`
                -ArtifactsName <artifacts-name>`
                -DataCollectorVersion  <data-collector-version>`
                -OfficeDirectoryId <office-directory-id>`
                -OfficeDomain <office-domain>`
                -OfficeAdminEmailId <office-admin-email-id>`
                -AzureSubscriptionId <azure-subscription-id>`
                -SharePointAdminCenterURL <sharepoint-admin-center-url>`
                -Location <location>`
                -DataCollectorName <data-collector-name>
        
    1. You will then be prompted to enter the following information:
      • ZCSPM API key
      • ZCSPM Data Collector
      • ZCSPM Office Application Secret
      • ZCSPM Azure IAM data Collector Artifacts Name
      • ZCSPM Office IAM data Collector Artifacts Storage Access Key
      • Microsoft 365 password
      Once you enter the information, a runbook will be created in the automation account.
    Close
  • Apply a delete lock on the data collector in your Azure subscription to prevent anyone from accidentally deleting the data collector:

    1. Go to the M365 IAM Data collector's resoure group.
    2. Click Locks, then click Add.
    3. Enter the Lock Name.
    4. From the Lock Type drop-down menu, select the lock type as Delete.
    5. Enter Notes, then click OK.
    Close
  • You need to change the data collection schedule to match the ZCSPM's daily metadata collection time:

    1. Go to the M365 IAM Data collector's resoure group.
    2. Select Automation account then click Schedules.
    3. Change the schedule Time to one hour before the daily ZCPSM data collection time.
    4. Click Save.
    Close

You can upgrade the advanced security configuration data collector.

    1. Log in to the Azure Portal as a Subscription Owner.
    2. Go to Subscriptions, then click the subscription where you have set up the data collector.
    3. Click on the Cloud Shell icon.
    4. Choose PowerShell, then select your storage.
    5. Download the ZCSPM data collector update script using the following command:
    wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/Upgrade-M365DataCollector.ps1 -O Upgrade-M365DataCollector.ps1
    
    1. Run the script by using the following command:
    ./Upgrade-M365DataCollector.ps1`
            -ArtifactsName <artifacts-name>`
            -DataCollectorVersion <data-collector-version>`
            -AzureSubscriptionId <azure-subscription-id>`
            -DataCollectorName <data-collector-name>`
            -SharePointAdminCenterURL <sharepoint-admin-center-url>`
            -ZCSPMApplicationId <zcspm-application-id>
        
    Close

If the ZCSPM API Key has expired, you can generate a new one at ZCSPM and update the data collector.

Related Articles
Onboarding a Microsoft 365 AccountVerifying the Cloud Account Health Status for Microsoft 365Microsoft 365 Advanced Security Configuration AgentOffboarding a Microsoft 365