Provisioning a SharePoint Online Authorized Account

Cloud App Security supports using OAuth 2.0 to provision a service account (Authorized Account) for SharePoint Online. With the OAuth 2.0 framework, Cloud App Security uses an access token to obtain limited access on the Global Administrator's behalf to run advanced threat protection and data loss prevention scanning on files in the protected SharePoint sites of your organization.

The steps outlined below detail how to provision an Authorized Account for SharePoint Online from Dashboard.

  1. Log on to the Cloud App Security management console.
  2. Hover over SharePoint Online and click Provision.

    The Provision Service Account for SharePoint Online screen appears.

  3. On the Authorized Account tab, click Click here at the end of Step 1.

    The Microsoft logon screen appears.

  4. Specify your Office 365 Global Administrator credentials and click Sign in.

    The Microsoft authorization screen appears.

  5. Click Accept to grant Cloud App Security the permission to use the Graph API to access all domains under the tenant associated with the specified Global Administrator.
  6. Go back to the Cloud App Security management console as instructed and click Click here at the end of Step 2.

    The Microsoft authorization screen appears.

  7. Click Accept to grant Cloud App Security the permission to access all SharePoint site collections under the domains.
  8. Go back to the Cloud App Security management console as instructed and click Click here at the end of Step 3.

    The Microsoft authorization screen appears.

  9. Click Accept to grant Cloud App Security the permission to access resources in all SharePoint sites.
  10. Go back to the Cloud App Security management console as instructed.

    Cloud App Security assigned an App Id for SharePoint Online that will be used for permission request on the SharePoint admin center in the next step. Copy the App Id from the screen and paste it in step 11d as instructed.

    If you decide to perform Step 11 later, you can find the App Id under the corresponding Authorized Account from Administration > Service Account.

  11. Perform the following steps to grant Cloud App Security permissions to receive notifications from Microsoft upon any change to the files on your SharePoint sites.
    1. Log on to the Microsoft 365 admin center with your Global Administrator account.
    2. Go to Admin centers > SharePoint from the left navigation.

      The SharePoint admin center page appears.

    3. Change the SharePoint admin center URL to {sharepoint_admin_site}/_layouts/15/AppInv.aspx in the address bar, for example, change https://example-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/home to https://example-admin.sharepoint.com/_layouts/15/AppInv.aspx, and then open the URL.
    4. On the screen that appears, copy and paste the App Id assigned in step 10 in the App Id field and then click Lookup.

      The Title field is automatically filled.

    5. Copy and paste tmcas.trendmicro.com in the App Domain field.
    6. Copy and paste the following information in the Redirect URL field based on your serving site.

      Serving Site

      Redirect URL

      EU

      https://admin-eu.tmcas.trendmicro.com/provision.html

      UK

      https://admin.tmcas.trendmicro.co.uk/provision.html

      Japan

      https://admin.tmcas.trendmicro.co.jp/provision.html

      US

      https://admin.tmcas.trendmicro.com/provision.html

      Australia and New Zealand

      https://admin-au.tmcas.trendmicro.com/provision.html

      Canada

      https://admin-ca.tmcas.trendmicro.com/provision.html

      Singapore

      https://admin.tmcas.trendmicro.com.sg/provision.html

      India

      https://admin-in.tmcas.trendmicro.com/provision.html

    7. Copy and paste the following information in the Permission Request XML field:
      <AppPermissionRequests AllowAppOnlyPolicy="true">
      <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Manage" />
      </AppPermissionRequests>
    8. Click Create, and on the screen that appears, click Trust It.

      The SharePoint admin center page appears.

    9. Change the SharePoint admin center URL to {sharepoint_admin_site}/_layouts/15/TA_AllAppPrincipals.aspx and then open the URL to verify the permission.

      If an item for Trend Micro Cloud App Security appears, the permission is successfully granted.

  12. Go back to the Cloud App Security management console and click Submit.

    Cloud App Security then updates the SharePoint Online data in your organization. The time required depends on how much data you have in SharePoint Online.

  13. Hover over the ring icon in the upper-right corner of the management console.

    If the message "SharePoint Online protected." appears on the Notifications screen, the provisioning is successful.