SaaS Security - Activating Office 365 Email

To protect Office 365 Mail, Avanan uses AVANAN Cloud Security Platform - Emails V2 enterprise application that is automatically added to your Microsoft Azure cloud platform.

As a prerequisite to activate Office 365, make sure you have these.

Activating Office 365 Email

To activate Office 365 Mail:

  1. From the Getting Started wizard, click Start for Office 365 Mail.
    or
    Navigate to Security Settings > SaaS Applications, and click Start.

  2. Select the mode of operation for Office 365.
    • Automatic mode
      Avanan automatically configures Office 365 emails to operate in Detect mode.

    • Manual mode
      You must manually perform the necessary configurations in the Office 365 Admin Exchange Center before you bind the application to your Office 365 email account and every time you add or edit the security policy associated with Office 365 emails. For more information, see Office 365 Manual Onboarding.



      Note - Avanan recommends using Automatic mode, allowing better maintenance, management, and smoother user experience. Before using the Manual mode, contact Avanan Support to help resolve any issues raised with the Automatic mode for onboarding.
  3. Enable the I Accept Terms Of Service checkbox.
  4. If you need to limit the license consumption and protection to a specific group of users or to connect multiple Avanan tenants to the same Microsoft 365 account:
    1. Enable the Restrict inspection to a specific group (Groups Filter) checkbox and click OK.
    2. In the Office 365 Authorization window that appears, sign in with a user with Microsoft Global Administrator permissions.
    3. In the authorization screen, click Accept to grant permissions for AVANAN Cloud Security Platform - Emails V2 application.
      For details about the permissions required from Microsoft, see Office 365 Mail - Required Permissions.


    4. In the Office 365 Mail - Group Selection pop-up, select Specific group.
    5. Enter the group name you need to protect with Avanan.
      Notes:
      • The group name must have an associated email address.
      • Avanan supports these groups for group filtering:
        • Assigned Membership:
          • Microsoft 365 Group
          • Mail-enabled Security Group
          • Distribution List
        • Dynamic Membership:
          • Microsoft 365 Group
    6. If you need to connect multiple Avanan tenants to the same Microsoft 365 account, enable the Multiple portals will be connected to this Office 365 account checkbox.
      Caution - Before you enable the checkbox, see Connecting Multiple Avanan Tenants to the Same Microsoft 365 Account.

      group-selection
    7. Click OK.
  5.  

Now, the Office 365 Mail SaaS is enabled and monitoring begins immediately.

You can monitor the onboarding progress by looking at the 'Office 365 Mail' SaaS processes indication in the Avanan Portal dashboard.

Note - After activating Office 365 Mail, Avanan performs retroactive scan of its content. For more information, see Backward Scanning.

Note - By default, Monitor only mode is assigned for all the SaaS applications you connect to. This allows you to immediately see the value that Avanan brings as it recognizes security incidents that occurred before on your SaaS platform. To configure email protection, see Email Protection.

Objects Created in Office 365

During the onboarding process, Avanan will create several objects in Office 365, including connectors, filters, and rules.

The created objects are described in the Manual Onboarding guide.

Notes:

  • All users that are configured to be in Protect (Inline) mode are added to Avanan to manage the user groups - for outbound and incoming emails.
  • Some organizations set expiration policies on Microsoft 365 groups. When the Avanan user group is expired, users will not be protected in inline mode anymore. The group owner will get a notification prior to expiration. The owner can extend the expiration date. Make sure that the group owner is valid and notifications are sent correctly.
  • If Avanan groups are expired, it is possible to restore the groups (within a time frame set by Microsoft). If group restoration or extension is unsuccessful - contact Avanan Support.

For more information on the next steps, see Onboarding next steps.

For more information on managing licenses, see License Management.

Office 365 Mail - Required Roles and Permissions

Avanan needs these roles and permissions to secure all users and remediate all threats.

Required Permissions

Avanan requires the following permissions from Microsoft.

Note - Some of these permissions seem duplicate and share the same functions. This is because these are permissions to different sets of Microsoft APIs that are used in different scenarios and at times as backup to each other.

Permissions required from Office 365 Functions performed by Avanan
Manage Exchange As Application Used for Automatic mode setup. It is needed for PowerShell access to create items not available through API (Journal Entries/Connectors/Mail Flow Rules).
Access directory as the signed in user

Used for these:

  • Mapping users to groups to properly assign policies to users.
  • Baselining the active users to detect impersonation attempts.
  • Mapping users to titles, departments and more to determine if a user is a VIP user or not.
Read and write directory data
Read activity data for your organization

Used for these:

  • Getting user login events, Microsoft Defender events and others to present login activities and detect compromised accounts (Anomalies).
  • Getting Microsoft detection information to present for every email.

Read all audit log data

Used for retrospective audit of login events to detect compromised accounts (Anomalies).

Read all applications

Used to support the DLP workflow that triggers the Microsoft encryption.

Read and write all directory RBAC settings

Used for these:

  • Automatic mode setup. It is needed for PowerShell access to create items not available through API (Journal Entries/Connectors/Mail Flow Rules).
  • (Reserved for future release) Used to allow administrators to disable users or reset their password.
Read and write all groups

Used for mapping users to groups to properly assign policies to users.

Groups are created and users are assigned to them to apply Protect (Inline) policy rules.

Read and write all groups (preview)
Read and write all users' full profiles

Used for these:

  • Mapping users to groups to properly assign policies to users.
  • (Reserved for future release) Allow administrators to disable users or reset their password.
Read and write all user mailbox settings

Used for continuously monitoring mailbox settings to detect indications for account compromising, such as MFA settings, forwarding rules and many more.

Read and write mail in all mailboxes
Read and write contacts in all mailboxes

Used for baselining social graphs and communication patterns for accurate phishing detections.

Read and write user and shared mail

Used for these:

  • Enforcing Detect and Prevent policy rules, where emails are quarantined/modified post-delivery.
  • Allowing administrators to quarantine emails that are already in the users' mailboxes.
  • Baselining communication patterns as part of Learning Mode.
  • Retroactive scan of emails already in users' mailboxes immediately after onboarding.
Read and write user mail
Use Exchange Web Services with full access to all mailboxes
Send mail as a user Used for sending notifications to end-users in scenarios that technically SMTP delivery is not available. This includes phishing, malware and DLP notifications.
Send mail as any user
Send mail on behalf of others
Read service health information for your organization

Reserved for future releases.

 

Required Role - Global Administrator

Avanan uses the Global Administrator role to perform these tasks in several methods including running PowerShell commands.

  • Initial onboarding - To configure Mail Flow Rules, Connectors, and additional elements for incoming, internal, and outgoing mail flow, as required to enforce the configured DLP, Threat Detection, and Click-Time Protection policies. For more information, see Automatic Mode Onboarding - Microsoft 365 Footprint.
  • Unified Quarantine - Filter information about emails quarantined by Microsoft and, if required, restore them from the Microsoft quarantine.
  • Track Microsoft Spam Policy - To determine what Microsoft would have done with every email, Avanan checks for updates in your configured Microsoft policy for every Spam confidence level (SCL).
  • Integration with Microsoft Encryption - To enable the integration with Microsoft Encryption to support DLP policy rules with the Email is allowed. Encrypted by Microsoft workflow. For more information, see Office 365 Email Encryption for Outgoing Emails.
  • Automated maintenance - To enhance troubleshooting capabilities and support infrastructure growth.
  • To support new features in the future.
Changing the Microsoft Application Role

After successfully onboarding the Office 365 Mail SaaS application to Avanan, the administrator can change the roles assigned to the Avanan application. To do that, the administrator must assign the Exchange Admin role along with any of these roles that block users and reset their passwords for the application.

  • Authentication Admin
  • User Admin
  • Password Admin

Note - For users with higher privileges, these roles might not block or reset their passwords. To view the roles that allows to block or reset password of users, see Microsoft documentation.

To change the application role to Exchange Admin, do these:

  1. Add Avanan Cloud Security Platform - Emails V2 application to the Exchange Admin role and the additional user blocking role. For more information, see Microsoft documentation.
  2. Remove Avanan Cloud Security Platform - Emails V2 application from the Global Admin role. For more information, see Microsoft documentation.

Adding a New Domain to Microsoft 365

At times, organizations might add new domains to their Microsoft 365 account.

To provide continuous protection for the users in these domains using the Avanan portal, these users must not have policies with Protect (Inline) protection mode for the first 48 hours after the transition.

To do that:

  • For all the existing policies (Threat Detection, DLP, and Click-Time Protection) that are in Protect (Inline) protection mode, change the scope to exclude the users from the new domain.

  • For the users in the new domain, assign new policies with Detect and Remediate protection mode.

Note - After 48 hours from the transition, you can change the policy scope so that it protects all domains in the Protect (Inline) protection mode.

If you have any queries about how to apply these changes in the configuration, contact Avanan Support.

Connecting Multiple Avanan Tenants to the Same Microsoft 365 Account

Sometimes, administrators need to connect multiple Avanan tenants to the same Microsoft 365 account.
This might be needed to apply strict categorization of users, where administrators of one tenant do not read emails, files, and messages of users in other tenants.

Use Case

  • Large global organization with different branch offices managed by different administrators
  • MSPs hosting multiple small customers on the MSP’s Microsoft 365 account

Limitations

  • If you activated the Office 365 Mail SaaS application in the past not following the procedure below, you cannot connect additional tenants to it.
    • To connect multiple Avanan tenants to the same Microsoft 365 account, you must disconnect the existing Office 365 Mail SaaS application from the tenant and connect it again. 
  • By default, Avanan does not support connecting tenants from different regions to the same Microsoft 365 account. If you need this option to be enabled, contact Avanan Support.
  • Avanan does not support connecting tenants from different regions (US, EU, and AU) to the same Microsoft 365 account.
  • Each tenant must be restricted to a specific group of users (user group). These user groups must be mutually exclusive, and no user can be a member of two such groups.
  • Currently, Microsoft Teams can be enabled only for one tenant when connecting multiple Avanan tenants to the same Microsoft 365 account.

If you need assistance with onboarding, contact our Customer Success Management team at onboarding@avanan.com.

Connecting Multiple Avanan Tenants

To connect multiple Avanan tenants to the same Microsoft 365 account:

Note - Before connecting the tenants, see the Limitations above.

To activate Office 365 Mail:

  1. From the Getting Started wizard, click Start for Office 365 Mail.
    or
    Navigate to Security Settings > SaaS Applications, and click Start.

  2. Select the mode of operation for Office 365.
    • Automatic mode
      Avanan automatically configures Office 365 emails to operate in Detect mode.

    • Manual mode
      You must manually perform the necessary configurations in the Office 365 Admin Exchange Center before you bind the application to your Office 365 email account and every time you add or edit the security policy associated with Office 365 emails. For more information, see Office 365 Manual Onboarding.



      Note - Avanan recommends using Automatic mode, allowing better maintenance, management, and smoother user experience. Before using the Manual mode, contact Avanan Support to help resolve any issues raised with the Automatic mode for onboarding.
  3. Enable the I Accept Terms Of Service checkbox.
  4. If you need to limit the license consumption and protection to a specific group of users or to connect multiple Avanan tenants to the same Microsoft 365 account:
    1. Enable the Restrict inspection to a specific group (Groups Filter) checkbox and click OK.
    2. In the Office 365 Mail - Group Selection pop-up, select Specific group.
    3. Enter the group name you need to protect with Avanan.
      Note - The group name must have an associated email address.
    4. If you need to connect multiple Avanan tenants to the same Microsoft 365 account, enable the Multiple portals will be connected to this Office 365 account checkbox.

      group-selection
    5. Click OK.
  5. In the Office 365 Authorization window that appears, sign in with your Microsoft administrator credentials.
    Note - Authentication is performed by Microsoft, and these credentials are not provided by Avanan.
  6. In the authorization screen, click Accept to grant necessary permissions to Avanan.
    For details about the permissions required from Microsoft, see Office 365 Mail - Required Permissions.
  7. The Office 365 Mail SaaS is enabled, and monitoring begins immediately.
    You can monitor the onboarding progress by looking at the 'Office 365 Mail' SaaS processes indication in the Avanan Portal dashboard.

Connecting Multiple Tenants to the same Microsoft 365 Account - Microsoft 365 Footprint

As part of the connection to Microsoft 365, Avanan creates Mail Flow rules, Connectors, Journaling Rules and Groups.

As part of the automatic connection of multiple Avanan tenants to the same Microsoft 365 account, these artifacts will be created separately for each tenant, and their names will include a suffix that serves as a portal identifier.

The portal identifier is usually the name of the Avanan tenant in the Avanan Portal, removing spaces, dashes and all special characters and all letters in lower case.

These artifacts will appear in your Microsoft 365 account once for every connected tenant:

  • Mail Flow Rules:
    • Avanan Protect – [portal identifier]
    • Avanan Protect Outgoing – [portal identifier]
  • Connectors
    • Avanan Journaling Outbound – [portal identifier]
    • Avanan Outbound – [portal identifier]
    • Avanan DLP Outbound – [portal identifier]
  • Journal rule
    • Avanan – Monitor – [portal identifier]
  • Groups – a Microsoft group is created for every portal
    • avanan_inline_incoming_[portal identifier]
    • avanan_inline_outgoing_[portal identifier]
  • Distribution list
    • avanan_inline_groups_[portal identifier]

Portal Identifier of Avanan Portal

The portal identifier of the Avanan portal is the starting URL of the Avanan portal excluding avanan.net.
For example, if the URL of the Avanan portal is myidentifier.avanan.net, then myidentifier is the portal identifier.
Avanan-Portal-identifier

Protecting Microsoft 365 Groups

When an email is sent to a Microsoft 365 Group, every member in the group receives the email and the email will also be available in the mailbox assigned with the Microsoft 365 Group.

When a malicious email is sent to a Microsoft 365 Group, Avanan detects and quarantines the malicious email from every group member's individual mailbox.

However, the malicious email gets quarantined from the Microsoft 365 Group mailbox only when the policy is set to Protect (Inline) mode.

Note - Avanan supports to protect these groups:

  • Microsoft 365 Groups
  • Mail-enabled Security Groups
  • Distribution groups