: Onboard a Microsoft Exchange App to SSPM
Focus
Focus

Onboard a Microsoft Exchange App to SSPM

Table of Contents

Onboard a Microsoft Exchange App to SSPM

Connect a Microsoft Exchange instance to SSPM to detect posture risks.
To detect posture risks in your Microsoft Exchange instance, SSPM connects to the instance by using information that you provide. Once SSPM connects, it scans the Microsoft Exchange instance for misconfigured settings and will continue to run scans at regular intervals.
There are two ways to onboard a Microsoft Exchange app, depending on how you want SSPM to scan your Microsoft Exchange instance. Review the following information about these two methods of scanning to decide which one you want SSPM to use. Before you onboard Microsoft Exchange to SSPM, there are certain actions you must take and certain information you must gather. These actions will differ depending on the method you choose.
  • You can onboard a Microsoft Exchange App for scans that use the Microsoft Graph API. To enable SSPM to access the Microsoft Graph API, you create a client application in Azure Active Directory (AD) with the necessary permissions, and allow access to the application to users in your organization. During onboarding, you will supply SSPM with Microsoft credentials for a user in the organization with the necessary permissions. You will also supply the Client ID of the Azure AD application. SSPM uses this information in a PowerShell call to connect to the Microsoft Graph API. The account that you use for onboarding cannot require MFA.
    This approach uses a published API.
  • You can onboard a Microsoft Exchange App for scans that use data extraction (also known as web scraping). To perform this data extraction, SSPM logs in to Microsoft Exchange by using an administrator account. You can have SSPM access the account directly or through the Okta or Microsoft Azure identity providers. If SSPM will be logging in to the administrator account directly, then the account cannot be configured for MFA. If SSPM will be accessing the account through Okta or Microsoft Azure, then MFA is required. During onboarding, you will provide SSPM with the administrator credentials. If SSPM will connect to the account through an identity provider, you will also specify the information that SSPM needs for MFA.
    This data-extraction approach scans more Microsoft Exchange settings compared to the Microsoft Graph API approach.