Automatically Provisioning a SharePoint Online Delegate Account

During provisioning, Cloud App Security allows you to synchronize:

  • All SharePoint site collections and/or OneDrive users and groups of your organization

  • Certain SharePoint site collections and/or OneDrive users of your organization for testing purposes


You need to use the same method when provisioning a service account for Exchange Online, SharePoint Online, and OneDrive for Business, that is, to either synchronize all targets or synchronize certain targets.

For service account provisioning with certain targets synchronized, Cloud App Security does not support manual synchronization and scheduled synchronization.

To synchronize all targets after provisioning a service account with certain targets synchronized, remove the service account in Administration > Service Account and re-provision a service account to synchronize all targets.

The steps outlined below detail how to provision a Delegate Account for SharePoint Online from Dashboard.

  1. Log on to the Cloud App Security management console.
  2. Hover over SharePoint Online or OneDrive for Business and click Provision.

    The Automatically tab on the Accessing Microsoft SharePoint Online Account Information screen appears by default.

  3. Specify the Global Administrator credentials (email address and password) and click Verify.

    Trend Micro does not save the Global Administrator credentials. They are used only once to provision the necessary Delegate Accounts.

  4. Optionally select the Promote all Delegate Accounts to the Global Administrator admin role check box.

    Selecting this check box promotes Delegate Accounts to Global Administrator privileges. This automatically synchronizes changes.

    Clearing this check box leaves Delegate Accounts with Service Administrator privileges. This requires Global Administrator credentials every time you want to synchronize changes.

  5. Select at least one service to protect, for example, SharePoint Online or OneDrive for Business.
  6. Select to synchronize all or selected targets during provisioning.



    SharePoint Online

    SharePoint site collections of your organization

    OneDrive for Business

    OneDrive users of your organization that have OneDrive sites

    • Select Synchronize all targets and go to Step 7.

    • Select Synchronize selected targets and click Next.

      If you selected ...

      Then perform the following ...

      SharePoint Online

      1. Sign in to Microsoft Office 365 Admin Center with your Global Administrator account, and go to Admin centers > SharePoint > site collections from the left navigation.

      2. Verify and add the URLs to protect one by one by copying a URL, pasting it into the text box, and clicking Add.


        You can add a maximum of 100 site collection URLs.

      3. Optionally select the URLs one by one to remove them.

      4. Go to Step 7.

      OneDrive for Business

      1. In the Available Targets area that appears, specify individual users or select users from groups.

        • By User: specify the exact user principal name of a user having OneDrive sites and press Enter to verify and display the user name.

        • By Group: specify at least the first three characters of the group name and press Enter to search for and display the group(s).

      2. Select the user(s) and click the arrow button to add them to the Selected Targets area.


        You can synchronize a maximum of 100 users.

      3. Optionally select one or multiple users in the Selected Targets area and click the arrow button to remove them.

      4. Go to Step 7.

      SharePoint Online and OneDrive for Business

      Perform all the steps specified above in the table.

  7. Click Submit.
  8. Hover over the ring icon in the upper-right corner of the management console.

    If the message "SharePoint Online protected." or "OneDrive for Business protected." appears on the Notifications screen, the corresponding provisioning is successful.