Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles
How to Follow Data Through the Search PipelineEndpoint for Windows Configuration Reference GuideEndpoint Software Command Line InterfaceBasic Troubleshooting Steps (Enterprise Console)Endpoints or Results Fail to be Displayed in the ConsoleMongoDB and TLS 1.3SQL Client SQL Exception ErrorHow to Troubleshoot Spirion Client Search Failures and How to WhitelistCustomer Notice – Spirion Agent Update & Security Assessment for PostgreSQLHow to Enable Verbose/Debug Logging for the Endpoint ServiceHow can I monitor the status of a queue job?Can I monitor the job queue status automatically?Troubleshooting: "Unable to find job queue: search_queue"How to Verify the Discovery Agent's StatusHow to check if port 6433 is open on your networkWhat is the SDM Translator Service?How to Create a Single Tenant App for OneDrive and Exchange Online SearchesHow to Configure Spirion for Sybase DiscoveryHow to Use Certificates to Authenticate with SharePoint OnlineHow to Quarantine to a Remote Location Using Spirion Sensitive Data PlatformA Server Error has Occurred: How to use the Chrome Developer ToolsWhy doesn't my Oracle 19c Database scan?How to Enable Full Disk Access on a Mac AgentWhy is My Scan Node Running Out of Disk Space?What to do about Message Processing and Delays, also known as 'Lag,' in SpirionDetails About the Box API used by Spirion to Search Box AccountsHow to Build a Mac Package (PKG)How to Sanitize AgentsHow to Set User and Role AccessHow to Enable SSL Communication between Linux Agents and the Spirion ConsoleHow to Enable HTTPS for the Spirion ConsoleHow to Search BoxFAQ: How do I avoid being prompted to re-login to the Spirion console?Spirion Sensitive Data Platform Scan PerformanceHow to Authenticate to SharePoint On-PremiseHow to Configure Spirion Sensitive Data Platform to Connect to an Oracle DatabaseFAQ: Linux 12.5 Client Package Build WorkaroundTroubleshoot Exchange Online Using Microsoft Graph ExplorerFAQ: What to do when an agent will not start the discovery team scan?Required SQL Server PermissionsHow to Scan Microsoft Teams with Spirion Sensitive Data PlatformField Input Using Linux Machines Anti-virus Alerts Received during Spirion SearchVersion 13.6 MSI Installation Issues - Exe file not signedWhat are common firewall rules needed for distributed scans?
Release Notes

How to Create a Single Tenant App for OneDrive and Exchange Online Searches

Spirion now supports creating a single tenant app for the search of OneDrive and Exchange Targets in Sensitive Data Platform.

Overview

Spirion now supports creating an app for the search of Microsoft OneDrive and Exchange.

This enables Spirion Administrators to manage searching two locations with a single Entra App.

High-Level Steps

Before You Start

  • An Entra Administrator is needed to create the tenant app
  • The API permissions below are needed to scan BOTH OneDrive and Exchange Online.
  • All of these permissions are REQUIRED for Spirion Sensitive Data Platform agents to function properly. An explanation of these permissions can be found here
    • Directory.Read.All
    • Directory.ReadWrite.All
    • Files.ReadWrite.All
    • Mail.Read
    • Mail.ReadWrite
    • Sites.ReadWrite.All
    • User.Read.All
  • For instructions on how to create searches after authenticating Microsoft OneDrive and Exchange see How to Search OneDrive for Business.
  • Be sure to record both the Application ID and the Directory ID while creating the Azure App as they will be used in a later step.
  • Be sure to remove the User.Read permissions from the Azure app.

How to Create the Azure App

Use the following steps to create your Azure app:

  1. Log into: https://entra.microsoft.com/ 
    • NOTE: An administrator must perform all the steps below to create the single tenant app with the permissions required (for example, the permissions Spirion Sensitive Data Platform requires must have admin consent as shown in the steps below).
  3. In the Microsoft Entra admin center, from the left-side navigation menu select Enterprise apps, then All Applications under "Manage" on the right, and then click + New Application.

  4. The Browse Microsoft Entra Gallery page opens.
  5. Select the + Create your own application link in the top-middle of the page.

  6. In the field "What's the name of your app?" enter your application name and select the radio button Register an application to integrate with Entra ID (App you're developing).
  7. Click the Create button at the bottom of the page.

  8. The "Register an application" page opens.
  9. Select the radio button Accounts in this organizational directory only
  10. Click the Register button.

  11. From the left side navigation select the Enterprise apps entry.
  12. Select "All applications" under the "Manage" heading.
    1. In the search field on the right search for the app you just created.
    2. The app details appear in the window below the search field. 
    3. Note the application ID in the Application ID table column at far right, as this is required later. 
  14. Under the Name column click your app name, which is linked.

  15. The Azure app page opens.
  16. Under the "Security" heading click “Permissions.”

  17. Sign-in to portal.azure.com to assign permissions to your Azure app.  
    1. Search for the app name that was created in previous steps. 
    2. Choose the app that is labeled “Application”

    3. Note the Application ID, and Directory ID: these are required later in this procedure. 
    4. Select “API Permissions”

    5. Note that User.Read permissions are pre-assigned.  Remove this permission.

    6. Select the following action path: Add a permission > Microsoft Graph > Application permissions > Search for permission on the list below > Select each permission after searching > Add Permission
    7. NOTE: The list below are all of the “application” permissions that are needed to scan BOTH OneDrive and Exchange Online.  It is assumed that all of these are required for Sensitive Data Platform agents to function properly when searching these targets.  Explanations of these permissions are published by Microsoft here 
      • Directory.Read.All
      • Directory.ReadWrite.All
      • Files.ReadWrite.All
      • Mail.Read
      • Mail.ReadWrite
      • Sites.ReadWrite.All
      • User.Read.All

  19. After you’ve added all the permissions, your app resembles the screenshot below. Under the Status column, the status for all permissions should be “Not granted for the…..”

  20. Select “Grant Admin Consent” > Select Yes.  
    1. The status for each permission, displayed in the Status column, changes to “Granted…” 
    2. To understand what granting admin consent does, see the explanation published by Microsoft - Link


  22. Create a Client Secret
    1. Under Manage on the left side navigation menu, select “Certificates & secrets.”
    2. Next select Client Secrets > + New client secret.
    3. In the Description field, enter the client secret name.
    4. Enter a custom start and end date that creates a two year duration.
    5. Click the Add button at the bottom of the screen.
    6. Copy the value under the "Value" column shown in the second screenshot below.



Was this article helpful?

Powered by Product Fruits