Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Before you setup Office Protect

            Modified on Thu, 24 Feb, 2022 at 1:05 PM

            To ensure smooth onboarding with Office Protect, clients must ensure that their M365 is properly configured to allow the app to operate.


            There are 4 potential problems a setup might encounter, each detailed in this article:


            • Multi-Factor Authentication
            • Licencing issues
            • AD Federated Users

            Multi-Factor Authentication 

            Enforcing Multi-Factor Authentication will prevent secmon from connecting to MSOL. Conditional Access Policies can be configured to automatically enforce MFA on new users within certain conditions, which causes secmon’s MFA to be immediately enforced upon creation and prevents the setup from completing.


            There are two types of Conditional Access Policies that can cause problems: 


            • Conditional Access Policies that enable MFA on users (either all users or Admins)
            • Conditional Access Policies that require MFA when not logging in from trusted locations 


            Note: Enabling Security Defaults will not prevent secmon from connecting.


            Remediation


            Conditional Access Policies that enable MFA: Create an exclusion rule within the policy to allow secmon to authenticate without MFA. 




            • Select Conditional Access, then click on the policy you want to modify
            • Under Policy, Select Users and Groups, then Exclude tab 
            • Check Users and Groups


            • Select secmon in the user to exclude from the Policy, then click on Save
            • Add our IPs to your trusted locations:

             

            Microsoft 365 License

            If your tenant has no licences, Office Protect won’t be able to connect to Exchange, nor Microsoft 365 services, thus will be unable to proceed with the setup.


            Sometimes, if you just created your organisation, it can take Microsoft a while to recognise it and allow operations on it - up to 3 days in some cases - so if your setup is Stuck at “Start Feed Subscription” and your organisation is new, leave it be for a few days. 


            AD Federated Users

            If your M365 users are federated by your Active Directory, the creation of a user requires an onPremiseImmutableID. Since we cannot attribute value to this field, you must allow the creation of a non-federated user because secmon has to be an Azure AD user.


            onPremisesImmutableId: This property is used to associate an on-premises Active Directory user account with their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property.  https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0


            We recommend that the tenant migrate to ADFS from a Pass-through authentication model, if possible, otherwise, Office Protect won’t be able to create secmon, thus completing the setup. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authentication




            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0