How to onboard Microsoft 365 using the Microsoft API

• Specifying the connection method.
• Enabling the Perception Point app - that enables the required access to your Microsoft 365 account.
• Specifying who to protect [the plan].
• Initiating the connection process.
  

To onboard Microsoft 365 using the Microsoft API:

1. On the right of the "Advanced Email Security" banner, click the Add Services 
   

      

2. Click Add A New Email Service - if this option appears.
3. Select the Organization - if necessary.
4. Specify the Escalation contacts. 
5. In Email Service, select Microsoft 365.
6. In Connection Method, select Microsoft API.
   1. Inbound will be automatically selected. This configures "Advanced Email Security" to scan emails that are received from outside the organization.
   2. Outbound: [Optional] This configures "Advanced Email Security" to scan emails that are sent from inside the organization. This option appears only if outbound scanning is enabled. 
      
7. Click ENABLE M365 APP - in the bottom right corner. [This is the remediation app.]

   Important: If the ENABLE M365 APP button is not enabled, make sure that you have specified an escalation contact above.

   1. A pop-up window will open - allowing you to sign-in to your Microsoft account.
      
   1. 
      

      Note: If the pop-up does not appear, make sure that pop-ups are not blocked on your computer.

   2. Sign-in to your Microsoft account as a global admin.
      You will see a list of the permissions that are required by the "Advanced Email Security" app.
      
   2. 
      
   3. Click Accept.
      The next step in the onboarding wizard appears.
      

                  

8. Specifying who to protect [Microsoft 365 - API]
   [This is also known as the plan.]
   1. Protect the organization's entire Microsoft 365 account: Protects all email addresses in all the domains that are included in your organization's Microsoft 365 account.

      Note: Domains and email addresses that are added in the future to the organization's Microsoft 365 account will be protected.

   2. Protect the following entities only: Allows you to specify which domains, groups, and users [email addresses] to protect.
      
   2. 
      

      Note: After onboarding the Microsoft 365 - API integration, you can't change the set of users that are protected by "Advanced Email Security". Suggested workaround: To change the set of users that are protected, first off-board the API integration, and then on-board it again, with the required protection configuration. You can specify a maximum of 300 assets [domains, groups, and users].

      • Specific domains: Protects only the domains that you specify. All users inside the specified domains will be protected.

        Note: Email addresses that are added in the future to any of the specified domains will also be protected.

      • Specific groups and users: Protects only the groups and users that you specify.

        Note: Email addresses that you specify must be included in your Microsoft 365 account. Groups must be email groups. Email addresses that are added in the future to any of the specified groups will also be protected.

      • Specific domains, groups and users: Protects all the domains, groups, and users that you specify.

        Note: Email addresses that you specify must be included in your Microsoft 365 account. Groups must be email groups. Email addresses that are added in the future to any of the specified groups will also be protected.

        Note about future changes: Domains that are added to your Microsoft 365 account in the future will not be protected. Email addresses that are added to any of the specified domains or groups in the future will also be protected. Email addresses that are added to your Microsoft 365 account [outside of the specified domains and groups] in the future will not be protected.

      Note: After you have specified a set of entities to protect, and completed the onboarding process, if you want to modify the set, contact Perception Point Support [support@perception-point.io].

9. [This step may not appear] Select to where spam emails will be moved - to the user's Inbox or the Junk folder - if spam emails are not configured to be quarantined.
   • Inbox: The email is sent to the user's Inbox. This setting is typically used for PoC installations - not for production installations.
   • Junk: The email is sent to the user's Junk folder. This setting is typically used in production installations - not in PoC installations.
     This setting can be changed after on-boarding. For details, see Configuring spam remediation below.
10. Click Next. A summary of your selected configurations will be displayed.
    

      

11. Review the configurations, and then click Done. This will begin the connection process to protect the users that you specified above. This connection process may take a while to complete.
    

12. Click the blue Microsoft 365 link [see graphic above] to open the Account > Channels page - where you can monitor the API connection status.
    

12. Connection start time:	The time that the connection process was started.
    Completion time:	The time that the connection process was completed.
    Total no. of users in plan:	The number of users included in the plan. This is the maximum number of users that will be protected when the connection process is complete. This excludes invalid users in the plan.
    Protected users:	The number of users that are already protected by "Advanced Email Security".
    Non-supported users (on-prem):	The number of Microsoft Exchange users that are included in the plan that you specified. These users will not be protected by "Advanced Email Security". You can export a .csv file that contains a list of these users. This value is applicable in "Microsoft 365 - Exchange" hybrid environments.
    Currently non-operative users:	The number of users that are included in the plan that you specified, but for whom "Advanced Email Security" was not able to add protection during the connection process. You can export a .csv file that contains a list of these users.

13. If you want to configure this Microsoft 365 integration to operate in monitoring mode, continue with Monitoring Mode below.
    

Monitoring Mode Important [for integrations in monitoring mode only] Note: In monitoring mode [also known as passive mode], "Advanced Email Security" will not quarantine any malicious emails or route spam to junk boxes. To complete the API integration in monitoring mode, perform these steps: Open the Account > Channels page. On the right, click Default Channel Settings. Click Edit  Under Detection, clear the Malicious, Restricted, and Spam check boxes. Note: "Advanced Email Security" will not quarantine any malicious emails or route spam to junk boxes. Click Save. Contact Perception Point Support [support@perception-point.io] - and inform them that you have onboarded a Microsoft 365 API integration. Perception Point Support will complete the configuration.

Configuring spam remediation

• Inbox: The email is sent to the user's Inbox. This setting is typically used for PoC installations - not for production installations.
• Junk: The email is sent to the user's Junk folder. This setting is typically used in production installations - not in PoC installations.

To change the spam remediation location:

1. Open the Account > Channels page.
2. On the right of Email Service > Microsoft 365, click Channel Settings. The "Email Service Settings" sidebar opens.
3. Click Edit 
4. Under Microsoft Account Settings, select Junk or Inbox.