To ensure smooth onboarding with Office Protect, clients must ensure that their M365 is properly configured to allow the app to operate.
There are 4 potential problems a setup might encounter, each detailed in this article:
- Multi-Factor Authentication
- Licencing issues
- AD Federated Users
Enforcing Multi-Factor Authentication will prevent secmon from connecting to MSOL. Conditional Access Policies can be configured to automatically enforce MFA on new users within certain conditions, which causes secmon’s MFA to be immediately enforced upon creation and prevents the setup from completing.
There are two types of Conditional Access Policies that can cause problems:
- Conditional Access Policies that enable MFA on users (either all users or Admins)
- Conditional Access Policies that require MFA when not logging in from trusted locations
Note: Enabling Security Defaults will not prevent secmon from connecting.
Conditional Access Policies that enable MFA: Create an exclusion rule within the policy to allow secmon to authenticate without MFA.
- To do this, go to your Azure AD Portal: https://aad.portal.azure.com/
- Click on Azure Active Directory, then click on Security
- Select Conditional Access, then click on the policy you want to modify
- Under Policy, Select Users and Groups, then Exclude tab
- Check Users and Groups
- Select secmon in the user to exclude from the Policy, then click on Save
- Add our IPs to your trusted locations:
Microsoft 365 License
If your tenant has no licences, Office Protect won’t be able to connect to Exchange, nor Microsoft 365 services, thus will be unable to proceed with the setup.
Sometimes, if you just created your organisation, it can take Microsoft a while to recognise it and allow operations on it - up to 3 days in some cases - so if your setup is Stuck at “Start Feed Subscription” and your organisation is new, leave it be for a few days.
AD Federated Users
If your M365 users are federated by your Active Directory, the creation of a user requires an onPremiseImmutableID. Since we cannot attribute value to this field, you must allow the creation of a non-federated user because secmon has to be an Azure AD user.
onPremisesImmutableId: This property is used to associate an on-premises Active Directory user account with their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property. https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
We recommend that the tenant migrate to ADFS from a Pass-through authentication model, if possible, otherwise, Office Protect won’t be able to create secmon, thus completing the setup. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authentication