Manually Provisioning a SharePoint Online Delegate Account

Provision a SharePoint Online Delegate Account in Microsoft Office 365 to allow Cloud App Security to scan files stored in SharePoint Online or OneDrive for Business. Cloud App Security uses the Delegate Account to run advanced threat protection and data loss prevention scanning when files are uploaded.

Note:

To simplify provisioning, Trend Micro recommends automatically provisioning Delegate Accounts.

Before Provisioning

Before you begin provisioning, follow these steps to make sure that Control access from apps that don't use modern authentication is correctly set on the Office 365 admin center:

  1. Go to Microsoft Office 365 Admin Center.
  2. Click the Admin icon on the home page.

    The Admin center page appears.

  3. Go to Admin centers > SharePoint from the left navigation.

    The SharePoint admin center page appears.

  4. Click access control, and then click Allow under Control access from apps that don't use modern authentication.
  5. Click OK, and then wait for around 30 minutes.

Creating a Delegate Account

Warning: Creating a Delegate Account can fail due to an internal Microsoft Office 365 issue. If this should occur, try again in a few hours or in twenty-four hours.
  1. Go to Microsoft Office 365 Admin Center.
  2. Click the Admin icon on the home page.

    The Admin center page appears.

  3. Go to Users > Active users from the left navigation, and then click Add a user.

    The New user screen appears.

  4. Specify the following account information and then click Add.
    • Display name and User name of the delegate account.

    • Password: Keep the default setting.

    • Roles: Keep the default setting.

    • Product licenses: Turn on Create user without product license by moving the slider to the right.

  5. Record the Delegate Account user name and password.
  6. Click Close.

Changing Delegate Account Password

  1. Sign in to Microsoft Office 365 using the new Delegate Account credentials.
  2. Click the settings icon and then Password, and on the change password screen, change the temporary Delegate Account password to a permanent one.
  3. Click submit.

    The Delegate Account can now be used to log on to Office 365.

Managing SharePoint Online Site Collections

Complete this task if you license the SharePoint Online service.

  1. Go to Microsoft Office 365 Admin Center and sign in with your Global Administrator account.
  2. Go to Admin centers > SharePoint from the left navigation.

    The SharePoint admin center page appears.

  3. From the left navigation, click site collections.
  4. Add site collections.

    Repeat this procedure to add additional site collections.

    1. Select one URL to protect.
    2. From the banner on the upper area, go to Owners > Manage Administrators.
    3. In the Site Collection Administrators text box at the bottom, specify an existing Delegate Account and then click the account check icon to verify its identity.
      • To find a Delegate Account, click the address book, select Tenant, and then click the magnifying glass to look for existing accounts.

      • To create a Delegate Account, see Creating a Delegate Account.

    4. Click OK.

Managing OneDrive Site Collections

Complete this task if you license the OneDrive for Business service.

  1. Go to Microsoft Office 365 Admin Center and sign in with your Global Administrator account.
  2. Go to Admin centers > SharePoint from the left navigation.

    The SharePoint admin center page appears.

  3. From the left navigation, click user profiles.
  4. Add site collections.

    Repeat this procedure to add other site collections.

    1. Under People, click Manage User Profiles.
    2. Find user profiles by specifying a user name in the Find profiles search box.
    3. Right-click the profile and select Manage site collection owners .
    4. In the Site Collection Administrators text box at the bottom, specify an existing Delegate Account and then click the user check icon to verify the identity.
      • To find a Delegate Account, click the address book, select Tenant, and then click the magnifying glass to look for existing accounts.

      • To create a Delegate Account, see Creating a Delegate Account.

    5. Click OK.

      The Delegate Account successfully adds to the Site Collection Administrators.

Adding the Delegate Account and Site Collection URLs to Cloud App Security

  1. Go back to the Cloud App Security management console.
  2. Go to Dashboard, hover over the SharePoint Online service name, and click Provision. Or, go to Administration > Service Account, click Add, and then select Office 365.
  3. Click the Manually tab and then SharePoint/OneDrive, scroll down the instructions, and specify the SharePoint Online Delegate Account credentials.
  4. Click Verify.
  5. Scroll down the instructions, add the SharePoint Online site collection URLs to protect, and click Add.
  6. Scroll down the instructions, select the service(s) to protect, and click Submit.
  7. Hover over the ring icon in the upper-right corner of the management console.

    If the messages "SharePoint Online protected." and "OneDrive for Business protected." appear on the Notifications screen, the provisioning is successful.