SaaS Detection and Response (SaaSDR) enables you to understand the compliance posture of your SaaS applications. For Office 365, you can validate your environment against CIS controls using SaaSDR.
The Center for Internet Security (CIS) has published CIS benchmarks for O365 that can be validated using SaaSDR. Several of these controls can only be validated using PowerShell commands executed in your Azure environment. To accomplish this, you also need to install the PowerShell Module (PM) in your Azure environment as mentioned in Step 4 below..
1) The instructions involve running a script that uses the Azure CLI. Please make sure you have the Azure CLI installed. If not, please follow the instructions here.
2) For Windows, ensure you have a bash terminal installed, for example Cygwin. This is used to execute the script to complete the install.
3) An active paid subscription of Microsoft Azure to create a serverless deployment containing following resources-
- Azure Function App
- Azure Storage Account
- Azure Key Vault
All these resources would be created in a separate Azure resource group for easy management.
Follow these steps to create a Office 365 Connector:
1) Create application and get Application ID Application Key
2) Provide Application Permissions
5) Create Connector in SaaSDR with Office 365 as application
Create application in Azure Active Directory and you can then note the Application ID and Application Key.
1) Log on to the Microsoft Azure console with Admin privileges. Go to Azure Active Directory in the left navigation pane, select App registrations.
2) Click New application registration and provide these details:
a. Name: Enter required name for the application (e.g. QualysSaaSDR).
b. Select option from Supported account types: Accounts in this organizational directory only (single tenant)
c. Redirect UrI as copied from Qualys SaaSDR application (e.g. https://qualysguard.qualys.com/ssc/api/office/oauthcallback)
3) Click Register. The newly created application is displayed with its properties.
4) Copy the Application (client) ID as it will be required to login to the connector later.
Provide permission to the new application to access the Microsoft Graph API and create a secret key.
1) Select the application that you created and go to Settings. Under Manage in the left navigation pane select API permissions.
2) Click Add a permission > Select an API > Microsoft Graph and click Select.
3) Select Application permissions and expand User permissions and select the following permissions -
· Directory.Read.All
· Files.Read.All
· SecurityEvents.Read.All
4) Click Add permissions.
5) Click Add a permission > Select an API > Office 365 Management APIs and click Select.
6) Select Application permissions and select following permissions -
· ActivityFeed.Read
7). Click Add permissions.
A confirmation notification “Permissions have changed. Users and/or admins will have to consent even if they have already done so previously.” is displayed on success.
1) Select the application that you created and go to Certificates & Secrets > New client secret.
2) Add a description and expiry duration for the key (Ex: Never) and click Add.
3) The value of the key appears in the Value field. Paste the key value as Authentication Key in the connector details.
Note: Copy the key value at this time as it cannot be retrieved later. You will need this later in the process.
1) The instructions involve running a script that uses the Azure CLI. Please make sure you have the Azure CLI installed. If not, please follow the instructions here:
2) For Windows, please ensure you have a bash terminal installed, for example Cygwin. This is used to execute the script to complete the install.
3) Download the qualys_azure_setup.zip file by clicking here. This file contains the required code for the Azure functions that validate individual controls as well as the script to be executed (qualys_azure_installation.sh).
After you have downloaded the zip file, follow the instructions in the Install PowerShell Module to complete this installation.
1) On the SaaSDR UI, go to Configuration > Connectors and click Create Connector.
2) Select Office 365 from the SaaS Application type drop-down option.
3) Provide the Application Id and Authentication Key received in the previous steps.
4) Enter Function Name and Function Key which the user fetches after installing PowerShell Module in the previous steps.
5) Click Create Connector.
You will be redirected to the login page of the application where you need to login using your administrator credentials (This user should be a Global Administrator to be able to Grant Access to newly created application). Once your connector is created, it is listed in the Configurations > Connectors list. Here you can check the status and other details of the connector.
That's it!
Once the application is connected, a scan is initiated to pull metadata from the application. This step may take some time to complete based on the number of resources to be cataloged in your application.