SaaS Security - Activating Office 365 Email

Protecting Office 365 Email with Avanan requires an integration process. During the process, Avanan will be granted access to the organizational Office 365 service, and the following steps will take place:

  1. Avanan will create the needed objects, including Mail-Flow rules, Filters, and Connectors.
  2. Avanan will start collecting emails and metadata. Avanan will collect information starting 14 days prior to the onboarding.

This guide explains how to onboard Office 365 Email using the automated process. For information on manual onboarding process, see Office 365 Manual Onboarding.


  • For more details about the minimum licenses required for the SaaS applications, see Minimum Requirements.
  • Avanan recommends using Automatic mode, allowing better maintenance, management, and smoother user experience. Before using the Manual mode, contact Avanan Support to help resolve any issues raised with the Automatic mode for onboarding.

Required Permissions

Avanan require the following permissions from Microsoft.

Note - Some of these permissions seem duplicate and share the same functions. This is because these are permissions to different sets of Microsoft APIs that are used in different scenarios and at times as backup to each other.

Permissions required from Office 365 Functions performed by Avanan
Manage Exchange As Application Used for Automatic mode setup. It is needed for PowerShell access to create items not available through API (Journal Entries/Connectors/Mail Flow Rules).
Access directory as the signed in user

Used for these:

  • Mapping users to groups to properly assign policies to users.
  • Baselining the active users to detect impersonation attempts.
  • Mapping users to titles, departments and more to determine if a user is a VIP user or not.
Read and write directory data
Read activity data for your organization

Used for these:

  • Getting user login events, Microsoft Defender events and others to present login activities and detect compromised accounts (Anomalies).
  • Getting Microsoft detection information to present for every email.
Read and write all directory RBAC settings

Used for these:

  • Automatic mode setup. It is needed for PowerShell access to create items not available through API (Journal Entries/Connectors/Mail Flow Rules).
  • (Reserved for future release) Used to allow administrators to disable users or reset their password.
Read and write all groups

Used for mapping users to groups to properly assign policies to users.

Groups are created and users are assigned to them to apply Protect (Inline) policy rules.

Read and write all groups (preview)
Read and write all users' full profiles

Used for these:

  • Mapping users to groups to properly assign policies to users.
  • (Reserved for future release) Allow administrators to disable users or reset their password.
Read and write all user mailbox settings

Used for continuously monitoring mailbox settings to detect indications for account compromising, such as MFA settings, forwarding rules and many more.

Read and write mail in all mailboxes
Read and write contacts in all mailboxes

Used for baselining social graphs and communication patterns for accurate phishing detections.

Read and write user and shared mail

Used for these:

  • Enforcing Detect and Prevent policy rules, where emails are quarantined/modified post-delivery.
  • Allowing administrators to quarantine emails that are already in the users' mailboxes.
  • Baselining communication patterns as part of Learning Mode.
  • Retroactive scan of emails already in users' mailboxes immediately after onboarding.
Read and write user mail
Use Exchange Web Services with full access to all mailboxes
Send mail as a user Used for sending notifications to end-users in scenarios that technically SMTP delivery is not available. This includes phishing, malware and DLP notifications.
Send mail as any user
Send mail on behalf of others
Read service health information for your organization

Reserved for future releases.


Activating Office 365 Email

Note - To activate Office 365 Mail, you must have administrator access to Office 365.

To start the Automated Onboarding process for Office 365 Mail, follow these steps:

  1. Based on the Avanan Portal status:
    • For new portals, the SaaS Onboarding Wizard will start automatically. Select Exchange Online and click Start.
    • For portals that completed a previous onboarding before: Go to Configuration > SaaS Apps > Exchange Online, and click Start.
  2. An onboarding wizard will launch. Choose Automatic.
  3. The wizard will redirect to the Microsoft Online login. Enter your Administrator credentials.
  4. A 'Permission Request' dialog box will present the permissions needed by Avanan. Review and click Accept.
  5. The wizard will redirect back to Avanan Portal Dashboard and continue for a few more minutes (usually 10-15 minutes).
    You can monitor the onboarding progress by looking at the 'Office 365' SaaS processes indication in the Avanan Portal dashboard.
  6. Clicking the System Tasks in Audit Logs will present the wizard progress dialog.
  7. When the onboarding process is finished, Avanan will start importing users' information and historic emails in the background.
  8. In case of a failure, the failure details appear in the System Tasks screen. Select the desired task and click on it.

Objects Created in Office 365

During the onboarding process, Avanan will create several objects in Office 365, including connectors, filters, and rules.

The created objects are described in the Manual Onboarding guide.


  • All users that are configured to be in Protect (Inline) mode are added to Avanan to manage the user groups - for outbound and incoming emails.
  • Some organizations set expiration policies on Microsoft 365 groups. When the Avanan user group is expired, users will not be protected in inline mode anymore. The group owner will get a notification prior to expiration. The owner can extend the expiration date. Make sure that the group owner is valid and notifications are sent correctly.
  • If Avanan groups are expired, it is possible to restore the groups (within a time frame set by Microsoft). If group restoration or extension is unsuccessful - contact Avanan Support.

For more information on the next steps, see Onboarding next steps.

For more information on managing licenses, see License Management.

Adding a New Domain to Microsoft 365

At times, organizations might add new domains to their Microsoft 365 account.

To provide continuous protection for the users in these domains using the Avanan portal, these users must not have policies with Protect (Inline) protection mode for the first 48 hours after the transition.

To do that:

  • For all the existing policies (Threat Detection, DLP, and Click-Time Protection) that are in Protect (Inline) protection mode, change the scope to exclude the users from the new domain.

  • For the users in the new domain, assign new policies with Detect and Remediate protection mode.

Note - After 48 hours from the transition, you can change the policy scope so that it protects all domains in the Protect (Inline) protection mode.

If you have any queries about how to apply these changes in the configuration, contact Avanan Support.