Custom oAuth Application for Office 365 and Azure API Integration

Configure an Application Registration in the Azure Portal

1. Log in to the Azure portal at https://portal.azure.com/.
2. Go to Home > App registrations and click New registration.
   
3. Configure the following details in the registration form:
   • Enter the name of the application. For example, Skyhigh Security Compliance Control.
   • Under Supported account Types, select Accounts in this organizational directory only.
   • Under Redirect URL, select Web and enter one of the following Sign-On URLs depending on the Skyhigh CASB backend:

PROD:  https://www.myshn.net/shndash/extensions/offlinedlp_ret.jsp
EUPROD: https://www.myshn.eu/shndash/extensions/offlinedlp_ret.jsp 

4. To create a new application, click Register.
5. Confirm the new application's properties are configured correctly, as per the last step in this guide.
   
6. Perform the following activities using OpenSSL to create a self-signed certificate. 

• Generate a private key: Key length should be 2048.
  openssl genrsa -out office365OfflineDlpKey.pem 2048
• Create a certificate Signing request:
  openssl req -new -key office365OfflineDlpKey.pem -out office365OfflineDlp.csr
• Create a X.509 certificate with generated key and signing request:
  openssl x509 -req -in office365OfflineDlp.csr -signkey office365OfflineDlpKey.pem -out office365OfflineDlp-cert.pem -days 3650
• Check the start/end date of the certificate:
  openssl x509 -startdate -noout -in office365OfflineDlp-cert.pem
  openssl x509 -enddate -noout -in office365OfflineDlp-cert.pem

7. Go to Certificates & Secrets in the new app, click Upload certificate and upload office365OfflineDlp-cert.pem to the Azure portal.
   
8. To add the required APIs with the permissions, click API Permissions.

NOTE: If you don't see the required APIs in the Microsoft APIs tab, search in the APIs my organization uses tab.

For Activity Monitoring set the following permissions
Exchange Online	OneDrive / SharePoint	Teams	Dynamics 365
Microsoft Graph: Read user profile (User.ReadAll) Read directory data (Directory.ReadAll) Office 365 Management API: Read Activity data of your organization (ActivityFeed.Read) Office 365 Exchange Online: Read and write emails in all mailboxes (Mail.ReadWrite) Use Exchange Web Services with full access to all mailboxes (full_access_as_app)	Microsoft Graph: Read items in all site collections (Sites.Read.All) Office 365 SharePoint Online:   Read user profile (User.Read.All) Office 365 Management API: Read Activity data of your organization (ActivityFeed.Read)	(It is not possible to connect MS Teams in "Activity Monitoring only mode", enable with DLP permission as stated below)	Office 365 Management APIs: Read Activity data of your organization (ActivityFeed.Read)

For API DLP set the following permissions
Exchange Online	OneDrive / SharePoint	Teams (Messages)	Dynamics 365
Office 365 Exchange Online: Read and write emails in all mailboxes (Mail.ReadWrite) Use Exchange Web Services with full access to all mailboxes (full_access_as_app) Read items in all site collections (Sites.Read.All) Microsoft Graph:   Read users profile (User.Read.All) Read items in all site collections (Sites.Read.All) Read and write mail in all mailboxes (Mail.Readwrite) Read directory data (Directory.Read.All) Read all usage reports (Reports.Read.All) SharePoint: Read users profile (User.Read.All)	Microsoft Graph:  Read items in all site collections (Sites.Read.All) Read directory data (Directory.Read.All) Read and write Microsoft Intune device configuration (DeviceManagementConfiguration.ReadWrite.All) Read all usage reports (Reports.Read.All) Read your Organization's policies (Policy.Read.All) Office 365 SharePoint Online: Have full control of all site collection (Sites.FullControl.All) Read and write items and lists in all site collections Sites (Sites.Manage.All) Read users profile (User.Read.All)	Office 365 Management APIs: Read Activity data of your organization (ActivityFeed.Read) Microsoft Graph: ChannelMessage.Read.All ChannelMessage.UpdatePolicyViolation.All Chat.Read.All Chat.UpdatePolicyViolation.All Directory.Read.All Group.Read.All Group.ReadWrite.All User. Read User.Read.All ChannelMember.ReadWrite.All TeamMember.ReadWrite.All ChatMember.ReadWrite.All	Dynamics CRM (type=delegated):  Access Common Data Service as organization users (user_impersonation) Microsoft Graph (type=delegated):    Sign in and read user profile (User.Read)

9. For all CSPs except Azure: Once you have added all permissions, click Grant admin consent for Domain.
   

The result looks similar to the following images. Click to enlarge.

Office 365	Microsoft Dynamics

10. To open the Manifest file, click Manifest. You will be using the information on this page to complete the Skyhigh CASB configuration.
    

Skyhigh CASB API Connection 

IMPORTANT:

• If you are setting up Dynamics, pause here, and complete the configuration steps outlined in this guide: Configuring and connecting the Microsoft Dynamics API. Make a note of the appId in the manifest above. You will need this to configure Dynamics.
• If you have not already, contact Skyhigh Support and request to enable the Custom OAuth app for your tenant. Ask for custom OAuth support only for the service(s) you don't want to use the Global Admin account to enable the Skyhigh CASB connection. The exception is Microsoft Dynamics, which must use custom OAuth.
• If you have already enabled the API connection using a Global Administrator (GA) account for a service, then you do not need to enable custom OAuth support for this service. For example: If you need to enable custom OAuth support for Microsoft Dynamics which is mandatory, you do not need to re-do the authentication for other services like SharePoint, OneDrive and Exchange.
• When you contact Skyhigh Support they will request the Instance Id. Find this in the Skyhigh CASB console via the instance setup page. For example, expand this screenshot --> []
• If you are using Exchange Online, you must contact Skyhigh Security Support to enable Microsoft Graph REST API access for your instances.

1. Go to Service Management > O365 Service and click Enable. You should be prompted to provide the custom OAuth credentials. If you are not prompted then contact Skyhigh Support to enable custom OAuth for the applicable service.
2. Extract the data from the Manifest file to enter the following details:
   • Client ID is the appId from the Manifest. (The Manifest screen is shown above.) It looks like a UUID. For example, 543bd03b-cd6e-417d-b31b-871ba0ef44f1
   • Private Key is the .pem file containing the private key that you created earlier (office365OfflineDlpKey.pem).
   • Thumb Print is the customKeyIdentifier of the keyCredentials of Manifest. Looks like a short, base64 encoded string. For example, 4BDBCCC84D81B29D1E6A6E0976A120275B393A7C
   • Resource URL is the URL for the instance:
     • SharePoint. For SharePoint, use https://<O365TENANTNAME>.sharepoint.com. 
     • OneDrive. For OneDrive, use https://<O365TENANTNAME>-my.sharepoint.com. 
     • Exchange. For Exchange, use https://<O365TENANTNAME>.sharepoint.com.
     • Dynamics. Use your Dynamics custom domain. For example: https://<yourdomain>.crm.dynamics.com.
     • Microsoft Teams. For Microsoft Teams, use https://<O365TENANTNAME>.sharepoint.com
   • Admin Resource URL is the URL for the SharePoint Admin Portal. Even when the connection is established for OneDrive, enter the SharePoint Admin Portal URL. For example, https://<O365TENANTNAME>-admin.sharepoint.com
   • Admin Email is the email address of an admin user for the services as defined. For example, admin@mycompany.onmicrosoft.com
     • OneDrive. Provide an admin email to create a quarantine folder. Technically this can be any user (need not be an admin) and do not make it public. But, the best practice is to use an Office 365 account created for Skyhigh CASB, as a service account).
     • SharePoint. Create a quarantine library in each site and make the admin exclusive owner of that library. For this purpose, use an admin email as input, which will be the owner of the Quarantine library in each site. Technically this can be any user (need not be an admin) and do not make it public. But, the best practice is to use an Office 365 account created for Skyhigh CASB, as a service account). For ease of use, the best practice is to use a service account for SharePoint similar to OneDrive.
     • Exchange. Skyhigh CASB creates a Quarantine folder in that admin’s mailbox while enabling API access. So for Exchange, it can be any user similar to OneDrive and this user does not have to have Exchange Admin permissions, but this user *must* have an Exchange mailbox provisioned. Ensure this by logging into Outlook Web Access at least once before. 

• Dynamics 365. Enter the Application Username. For details, see Configuring and Connecting the Microsoft Dynamics API.
• Azure IaaS. For Azure IaaS, the value of the admin email is not relevant but should reflect a real user's email address.
  

3. Click Submit.

IP Allow List

In rare cases, when using IP restrictions in Office 365 vNext and SharePoint the following Skyhigh CASB IP addresses/address ranges need to be added to an Allow List in Office 365:

• 13.57.135.0/25
• 52.8.140.255
• 52.52.211.25

References

Skyhigh CASB uses a Multi-Tenant App for OAuth flow which in turn uses Service Principal for collecting data from Customer’s Azure Account. More details about the app mode and service principals can be found here https://docs.microsoft.com/en-us/azu...ice-principals 

• https://azure.microsoft.com/en-in/documentation/articles/active-directory-integrating-applications/
• https://msdn.microsoft.com/en-us/office/office365/howto/building-service-apps-in-office-365
• https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/
• https://technet.microsoft.com/en-us/library/dn800987.aspx 
• https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals