Grant Cloud App Security access to SharePoint Online with a Delegate Account to allow Cloud App Security to scan files stored in SharePoint Online or OneDrive. uses the Delegate Account to run advanced threat protection and data loss prevention scanning when files are updated.
Related information

Before you start

Before you begin granting access, follow these steps to make sure that Control access from apps that don't use modern authentication is correctly set on the Microsoft 365 admin center:

Procedure

  1. Log on to the Microsoft 365 admin center with your Global Administrator account.
  2. Go to Admin centersSharePoint from the left navigation.
    The SharePoint admin center page appears.
  3. Click access control, and then click Allow under Control access from apps that don't use modern authentication.
  4. Click OK, and then wait for around 30 minutes.
Cloud App Security uses a single SharePoint Online Delegate Account for both SharePoint Online and OneDrive. If you have already manually granted Cloud App Security access to one of the two services with the Delegate Account, you do not need to create a Delegate Account and change the Delegate Account password again. Go directly to Verifying the delegate account and Managing Sharepoint Online site collections or Managing OneDrive site collections based on which service you are manually granting Cloud App Security access to at the moment.
Note
Note
Creating a Delegate Account can fail due to an internal Microsoft 365 issue. If this should occur, try again in a few hours or in twenty-four hours.

Procedure

  1. Log on to the Microsoft 365 admin center with your Global Administrator account.
  2. Go to UsersActive users from the left navigation, and then click Add a user.
    The New user screen appears.
  3. Specify the following account information and then click Add.
    • Display name and User name of the delegate account.
    • Password: Keep the default setting.
    • Roles: Keep the default setting.
    • Product licenses: Turn on Create user without product license by moving the slider to the right.
  4. Record the Delegate Account user name and password.
  5. Click Close.

Procedure

  1. Sign in to Microsoft 365 using the new Delegate Account credentials.
  2. Click the settings icon and then Password, and on the change password screen, change the temporary Delegate Account password to a permanent one.
  3. Click submit.
    The Delegate Account can now be used to log on to Microsoft 365.

Procedure

  1. Go back to the Delegate Account (Manually) tab on the Cloud App Security management console.
  2. Scroll down the instructions, and then specify the SharePoint Online Delegate Account credentials in the email address and password text boxes.
  3. Click Verify.

Managing Sharepoint Online site collections

Complete this task if you license the SharePoint Online service.

Procedure

  1. Log on to the Microsoft 365 admin center with your Global Administrator account.
  2. Go to Admin centersSharePoint from the left navigation.
    The SharePoint admin center page appears.
  3. From the left navigation, click site collections.
  4. Add site collections.
    Repeat this procedure to add additional site collections.
    1. Select one URL to protect.
    2. From the banner on the upper area, go to OwnersManage Administrators.
    3. In the Site Collection Administrators text box at the bottom, specify an existing Delegate Account and then click the account check icon to verify its identity.
      • To find a Delegate Account, click the address book, select Tenant, and then click the magnifying glass to look for existing accounts.
      • To create a Delegate Account, see Creating a delegate account.
    4. Click OK.
  5. Go back to the Delegate Account (Manually) tab on the Cloud App Security management console, scroll down to the bottom, add the SharePoint Online site collection URLs to protect one by one in the URL text box, and then click Add.
  6. Click Submit.
  7. Hover over the notification icon in the upper-right corner of the management console.
    If the message "SharePoint Online protected." appears on the Notifications screen, the access grant is successful.

Managing OneDrive site collections

Complete this task if you license the OneDrive service.

Procedure

  1. Log on to the Microsoft 365 admin center with your Global Administrator account.
  2. Go to Admin centersSharePoint from the left navigation.
    The SharePoint admin center page appears.
  3. From the left navigation, click user profiles.
  4. Add site collections.
    Repeat this procedure to add other site collections.
    1. Under People, click Manage User Profiles.
    2. Find user profiles by specifying a user name in the Find profiles search box.
    3. Right-click the profile and select Manage site collection owners .
    4. In the Site Collection Administrators text box at the bottom, specify an existing Delegate Account and then click the user check icon to verify the identity.
      • To find a Delegate Account, click the address book, select Tenant, and then click the magnifying glass to look for existing accounts.
      • To create a Delegate Account, see Creating a delegate account.
    5. Click OK.
      The Delegate Account successfully adds to the Site Collection Administrators.
  5. Go back to the Delegate Account (Manually) tab on the Cloud App Security management console, scroll down to the bottom, and then click Submit.
  6. Hover over the notification icon in the upper-right corner of the management console.
    If the message "OneDrive protected." appears on the Notifications screen, the access grant is successful.