SaaS Security - Office 365 Email - Onboarding

Protecting Office 365 Email with Avanan requires a short integration process. During the process, Avanan will be granted access to the organizational Office 365 service, and the following steps will take place:

  1. Avanan will create the needed objects, including Mail-Flow rules, Filters, and Connectors.
  2. Avanan will start collecting emails and metadata. Avanan will collect information starting 14 days prior to the onboarding.

This guide explains how to onboard Office 365 Email using the automated process. The manual process is explained in this article.

Note - Avanan recommends using Automatic mode, allowing better maintenance, management, and smoother user experience. Before using the Manual mode, contact Avanan Support to help resolve any issues raised with the Automatic mode for onboarding.


  • Admin user for Microsoft Online.

Required Permissions

The following sections list the used APIs and permissions that each Avanan app requires when installed for Office 365.

Office 365 Email

Azure Active Directory Graph

  • Directory.ReadWrite.All - Read and write directory data


  • Contacts.ReadWrite - Read and write contacts in all mailboxes
  • Exchange.ManageAsApp - Manage Exchange As Application
  • full_access_as_app - Use Exchange Web Services with full access to all mailboxes
  • Group.ReadWrite.All - Read and write all groups (preview)
  • Mail.ReadWrite - Read and write user mail
  • Mail.ReadWrite - Read and write mail in all mailboxes
  • Mail.ReadWrite.All - Read and write user and shared mail
  • Mail.ReadWrite.Shared - Read and write user and shared mail
  • Mail.Send - Send mail as a user
  • Mail.Send - Send mail as any user
  • Mail.Send.All - Send mail on behalf of others
  • Mail.Send.Shared - Send mail on behalf of others
  • MailboxSettings.ReadWrite - Read and write user mailbox settings
  • MailboxSettings.ReadWrite - Read and write all user mailbox settings

Microsoft Graph

  • Directory.AccessAsUser.All - Access directory as the signed in user
  • Group.ReadWrite.All - Read and write all groups
  • RoleManagement.ReadWrite.Directory - Read and write all directory RBAC settings
  • User.ReadWrite.All - Read and write all users' full profiles

Office 365 Management APIs

  • ActivityFeed.Read - Read activity data for your organization
  • ServiceHealth.Read - Read service health information for your organization

Onboarding Process

To start the Automated Onboarding process follow the steps below:

  1. Based on portal status:
    • For new portals, the SaaS Onboarding Wizard will start automatically. Select Exchange Online and click Start.
    • For portals that completed a previous onboarding before: Go to Configuration > SaaS Apps > Exchange Online, and click Start.
  2. An onboarding wizard will launch. Choose Automatic.
  3. The wizard will redirect to Microsoft Online login. Enter your Admin credentials.
  4. A ‘Permission Request’ dialog box will present the permissions needed by Avanan. Review and click Accept.
  5. The wizard will redirect back to Avanan Portal Dashboard and continue for a few more minutes (usually 10-15 minutes).
    You can monitor the onboarding progress by looking at the ‘Office 365’ SaaS processes indication in the Main Dashboard.
  6. Clicking the System Tasks in Audit Logs will present the wizard progress dialog.
  7. When the onboarding process is finished Avanan will start importing users’ information and historic emails in the background.
  8. In case of a failure, the failure details appear in the System Tasks screen. Select the desired task and click on it.

Objects Created in Office 365

During the onboarding process, Avanan will create several objects in Office 365, including connectors, filters, and rules.

The created objects are described in the Manual Onboarding guide.


  • All users that are configured to be in Inline (protect) mode are added to Avanan to manage user groups - for outbound and incoming emails.
  • Some organizations set expiration policies on Microsoft 365 groups. When the Avanan user group is expired, users will not be protected in inline mode anymore. The group owner will get a notification prior to expiration. The owner can extend the expiration date. Make sure that the group owner is valid and notifications are sent correctly.
  • If Avanan groups are expired, it is possible to restore the groups (within a time frame set by Microsoft). If group restoration or extension is unsuccessful - contact  Avanan Support.