Automatically Provisioning a Delegate Account for SharePoint Online and OneDrive

Cloud App Security uses a single SharePoint Online Delegate Account for both SharePoint Online and OneDrive. If you want to protect both services, provision the Delegate Account under SharePoint Online and OneDrive respectively to add required data about both services to the Delegate Account.

During provisioning, Cloud App Security allows you to synchronize:

  • All SharePoint site collections and/or OneDrive users and groups of your organization

  • Certain SharePoint site collections and/or OneDrive users of your organization for testing purposes

Important:

You need to use the same option when provisioning a service account for Exchange Online, SharePoint Online, and OneDrive, that is, to either synchronize all targets or synchronize certain targets.

For service account provisioning with certain targets synchronized, Cloud App Security does not support manual synchronization and scheduled synchronization.

The steps outlined below detail how to provision a SharePoint Online Delegate Account for SharePoint Online first and then OneDrive from Dashboard.

  1. Log on to the Cloud App Security management console.
  2. Perform the following steps to provision for SharePoint Online.
    1. Hover over SharePoint Online and click Provision.

      The Provision Service Account for SharePoint Online screen appears.

    2. Click the Delegate Account tab.
    3. Specify the Global Administrator credentials (email address and password) and click Verify.
      Important:

      Trend Micro does not save the Global Administrator credentials. They are used only once to provision the necessary Delegate Accounts.

    4. Optionally select the Promote all Delegate Accounts to the Global Administrator admin role check box.
      Note:

      Selecting this check box promotes Delegate Accounts to Global Administrator privileges. This automatically synchronizes changes.

      Clearing this check box leaves Delegate Accounts with Service Administrator privileges. This requires Global Administrator credentials every time you want to synchronize changes.

    5. Select to synchronize all or selected SharePoint site collections of your organization.
      • Select Synchronize all targets and go to Step f.

      • Select Synchronize selected targets and click Next.

        1. Sign in to Microsoft 365 admin center with your Global Administrator account, and go to Admin centers > SharePoint > site collections from the left navigation.

        2. Verify and add the URLs to protect one by one by copying a URL, pasting it into the text box, and clicking Add.

          Note:

          You can add a maximum of 100 site collection URLs.

        3. Optionally select the URLs one by one to remove them.

        4. Go to Step f.

    6. Click Submit.
    7. Hover over the notification icon in the upper-right corner of the management console.

      If the message "SharePoint Online protected." appears on the Notifications screen, the provisioning is successful.

  3. Perform the following steps to provision for OneDrive.
    1. Hover over OneDrive and click Provision.

      The Provision Service Account for OneDrive screen appears.

    2. Click the Delegate Account tab.
    3. Specify the Global Administrator credentials (email address and password) and click Verify.
    4. Optionally select the Promote all Delegate Accounts to the Global Administrator admin role check box.
    5. Select to synchronize all or selected OneDrive users of your organization that have OneDrive sites.

      If the Delegate Account is already provisioned for SharePoint Online, this option is dimmed and unavailable because it follows what is selected during provisioning for SharePoint Online in Step 2.

      If the Delegate Account is not provisioned for SharePoint Online yet,

      • Select Synchronize all targets and go to Step f.

      • Select Synchronize selected targets and click Next.

        1. In the Available Targets area that appears, specify individual users or select users from groups.

          • By User: specify the exact user principal name of a user having OneDrive sites and press Enter to verify and display the user name.

          • By Group: specify at least the first three characters of the group name and press Enter to search for and display the group(s).

        2. Select the user(s) and click the arrow button to add them to the Selected Targets area.

          Note:

          You can synchronize a maximum of 100 users.

        3. Optionally select one or multiple users in the Selected Targets area and click the arrow button to remove them.

        4. Go to Step f.

    6. Click Submit.
    7. Hover over the notification icon in the upper-right corner of the management console.

      If the message "OneDrive protected." appears on the Notifications screen, the provisioning is successful.

If only some targets were selected to synchronize during provisioning, Cloud App Security is also able to extend its protection to all targets under the corresponding service by enabling you to manually synchronize all targets:
  1. On the Notifications screen, click Extend to protect all your Office 365 service targets..

  2. On the screen that appears, view the instructions and click Submit.

  3. Go to Advanced Threat Protection or Data Loss Prevention, and open an ATP or DLP policy of each service you want to extend the protection to, that is, Exchange Online, SharePoint Online, or OneDrive.

  4. Select the General tab and click Click here to manually synchronize all your targets.

Note:

After clicking Submit, you can also wait until the next day because Cloud App Security automatically synchronizes with your Office 365 environment once per day.