Manually Provisioning a SharePoint Online Delegate Account

Provision a SharePoint Online Delegate Account in Office 365 to allow Cloud App Security to scan files stored in SharePoint Online or OneDrive. Cloud App Security uses the Delegate Account to run advanced threat protection and data loss prevention scanning when files are updated.

Before Provisioning

Before you begin provisioning, follow these steps to make sure that Control access from apps that don't use modern authentication is correctly set on the Microsoft 365 admin center:

  1. Log on to the Microsoft 365 admin center with your Global Administrator account.
  2. Go to Admin centers > SharePoint from the left navigation.

    The SharePoint admin center page appears.

  3. Click access control, and then click Allow under Control access from apps that don't use modern authentication.
  4. Click OK, and then wait for around 30 minutes.

Creating a Delegate Account

Cloud App Security uses a single SharePoint Online Delegate Account for both SharePoint Online and OneDrive. If you have already manually provisioned the Delegate Account for one of the two services, you do not need to create a Delegate Account and change the Delegate Account password again. Go directly to Verifying the Delegate Account and Managing SharePoint Online Site Collections or Managing OneDrive Site Collections based on which service you are manually provisioning at the moment.

Note:

Creating a Delegate Account can fail due to an internal Office 365 issue. If this should occur, try again in a few hours or in twenty-four hours.

  1. Log on to the Microsoft 365 admin center with your Global Administrator account.
  2. Go to Users > Active users from the left navigation, and then click Add a user.

    The New user screen appears.

  3. Specify the following account information and then click Add.
    • Display name and User name of the delegate account.

    • Password: Keep the default setting.

    • Roles: Keep the default setting.

    • Product licenses: Turn on Create user without product license by moving the slider to the right.

  4. Record the Delegate Account user name and password.
  5. Click Close.

Changing the Delegate Account Password

  1. Sign in to Office 365 using the new Delegate Account credentials.
  2. Click the settings icon and then Password, and on the change password screen, change the temporary Delegate Account password to a permanent one.
  3. Click submit.

    The Delegate Account can now be used to log on to Office 365.

Verifying the Delegate Account

  1. Go back to the Delegate Account (Manually) tab on the Cloud App Security management console.
  2. Scroll down the instructions, and then specify the SharePoint Online Delegate Account credentials in the email address and password text boxes.
  3. Click Verify.

Managing SharePoint Online Site Collections

Complete this task if you license the SharePoint Online service.

  1. Log on to the Microsoft 365 admin center with your Global Administrator account.
  2. Go to Admin centers > SharePoint from the left navigation.

    The SharePoint admin center page appears.

  3. From the left navigation, click site collections.
  4. Add site collections.

    Repeat this procedure to add additional site collections.

    1. Select one URL to protect.
    2. From the banner on the upper area, go to Owners > Manage Administrators.
    3. In the Site Collection Administrators text box at the bottom, specify an existing Delegate Account and then click the account check icon to verify its identity.
      • To find a Delegate Account, click the address book, select Tenant, and then click the magnifying glass to look for existing accounts.

      • To create a Delegate Account, see Creating a Delegate Account.

    4. Click OK.
  5. Go back to the Delegate Account (Manually) tab on the Cloud App Security management console, scroll down to the bottom, add the SharePoint Online site collection URLs to protect one by one in the URL text box, and then click Add.
  6. Click Submit.
  7. Hover over the ring icon in the upper-right corner of the management console.

    If the message "SharePoint Online protected." appears on the Notifications screen, the provisioning is successful.

Managing OneDrive Site Collections

Complete this task if you license the OneDrive service.

  1. Log on to the Microsoft 365 admin center with your Global Administrator account.
  2. Go to Admin centers > SharePoint from the left navigation.

    The SharePoint admin center page appears.

  3. From the left navigation, click user profiles.
  4. Add site collections.

    Repeat this procedure to add other site collections.

    1. Under People, click Manage User Profiles.
    2. Find user profiles by specifying a user name in the Find profiles search box.
    3. Right-click the profile and select Manage site collection owners .
    4. In the Site Collection Administrators text box at the bottom, specify an existing Delegate Account and then click the user check icon to verify the identity.
      • To find a Delegate Account, click the address book, select Tenant, and then click the magnifying glass to look for existing accounts.

      • To create a Delegate Account, see Creating a Delegate Account.

    5. Click OK.

      The Delegate Account successfully adds to the Site Collection Administrators.

  5. Go back to the Delegate Account (Manually) tab on the Cloud App Security management console, scroll down to the bottom, and then click Submit.
  6. Hover over the ring icon in the upper-right corner of the management console.

    If the message "OneDrive protected." appears on the Notifications screen, the provisioning is successful.