Overview
The integration of Grip with O365 enables organizations to gain a comprehensive overview of their managed and unmanaged applications, including provisioning details and insights into sign-in and usage patterns, as well as applications detected with email-based interactions. This collaboration enhances monitoring and controlling access across the organization's application landscape, ensuring that all application interactions are transparent and managed efficiently.
Prerequisites
An Entra ID admin user with privileges to create enterprise applications.
Public certificate file received from Grip.
Permissions
The following outlines the required permissions.
Step-by-step instructions are provided in the next sections of this article.
Required Microsoft Graph Permissions
Grip requires several OAuth permissions from Microsoft Graph to perform the discovery process. The required permissions and their respective reasoning are as follows:
Permission | Reason |
Mail.Read | Used to identify SaaS events in emails, including new registrations, billing updates, password resets, etc. |
User.Read.All | Used to retrieve user and alias information to map the relationships between users and SaaS usage |
AuditLog.Read.All | Used to gather sign-in logs for managed applications and social login applications within Entra ID domain |
Application.Read.All | Used to gather the list of managed applications within the Entra ID environment |
Directory.Read.All | Used for retrieving group, group alias, and member information to present identity and group-centric views into SaaS use |
Optional - Additional Graph permissions for O365 posture (SSPM)
Permissions | Product/Service |
| Graph API |
| SharePoint Online |
| Exchange Online |
| Identity Roles |
| Global Reader |
| Global Reader |
For OAuth Revocation
Permissions | Product/Service |
DelegatedPermissionGrant.ReadWrite.All | Graph API |
Read more in this article
How to Perform the Setup
The process is comprised of the following steps:
Step 1 - Create the application.
Step 2 - Grant permissions.
Step 3 - Add the certificate.
Step 4 - Send relevant identifiers to Grip.
Step 1 – Create the application
Go to App registrations in your Entra ID admin panel (link)
Select New registration
In the Name field enter Grip Security.
In the Supported account types field select the first option Accounts in this organizational directory only (<your org> only - Single tenant).
Click Register.
You are redirected to your new application’s page. Copy the following values with their respective titles and save them, to be shared later with Grip.
Application (client) ID
Directory (tenant) ID
Step 2 – Grant Graph permissions
In the left sidebar of the new app’s page, select Manage ->API permissions.
Click Add a permission.
On the new right sidebar, select Microsoft Graph.
Select Application permissions.
Select and select the following permissions
Mail.Read
User.Read.All
AuditLog.Read.All
Application.Read.All
Directory.Read.All
Note.
Make sure all 5 permissions have been added to the list.
Sometimes there will be an extra permission at the beginning – User.Read. This is OK.
Click “Grant admin consent for <your org name>” and select “Yes” in the confirmation popup.
Optional - Graph permissions for SSPM
Directory.Read.All
GroupMember.Read.All,
Organization.Read.All
Policy.Read.All,
RoleManagement.Read.Directory
User.Read.All
PrivilegedEligibilitySchedule.Read.AzureADGroup
PrivilegedAccess.Read.AzureADGroup
RoleManagementPolicy.Read.AzureADGroup
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A21%3A07Z&se=2025-04-25T14%3A34%3A07Z&sr=c&sp=r&sig=2200uiEbEFMFz67HvZtzrgHa4eIzRygfqMFj6TblEBo%3D)
Click on “Add Permissions”
For OAuth Revocation
Permissions | Product/Service |
DelegatedPermissionGrant.ReadWrite.All | Graph API |
Read more in this article
Optional - Additional permissions for SSPM
Sharepoint
From “Select an API » Microsoft APIs,” select “Sharepoint”
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A21%3A07Z&se=2025-04-25T14%3A34%3A07Z&sr=c&sp=r&sig=2200uiEbEFMFz67HvZtzrgHa4eIzRygfqMFj6TblEBo%3D)
Select “Application permissions”.
Select the following permissions – “Sites.FullControl.All”
Click on the “Add permissions” button.
Note: The Sites.FullControl.All permission is the minimum required to read admin center configurations for SharePoint Online, as this is a limitation of the API provided by Microsoft. Grip does not utilize the write privileges in its assessments.
_____________________________________________________
Exchange Online
Click “Add a permission.”
On the right-side panel, select the “APIs my organization uses” tab.
Search for Office 365 Exchange Online and select the entry with the same name.
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A21%3A07Z&se=2025-04-25T14%3A34%3A07Z&sr=c&sp=r&sig=2200uiEbEFMFz67HvZtzrgHa4eIzRygfqMFj6TblEBo%3D)
Select “Application permissions,” then search and select the following permission: Exchange.ManageAsApp
Click the ”Add permissions” button.
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A21%3A07Z&se=2025-04-25T14%3A34%3A07Z&sr=c&sp=r&sig=2200uiEbEFMFz67HvZtzrgHa4eIzRygfqMFj6TblEBo%3D)
💡 Note.Ensure all 11 permissions have been added to the list.
Sometimes, there will be an extra permission at the beginning – User.Read. This is OK.
Click the ”Grant admin consent for <your org name>” tab (18) and select "Yes" in the confirmation popup.
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A21%3A07Z&se=2025-04-25T14%3A34%3A07Z&sr=c&sp=r&sig=2200uiEbEFMFz67HvZtzrgHa4eIzRygfqMFj6TblEBo%3D)
_____________________________________________________
Assign user role
Go to Microsoft Entra roles and administrators in your Entra ID admin panel.
Search for Global Reader and select the entry.
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A21%3A07Z&se=2025-04-25T14%3A34%3A07Z&sr=c&sp=r&sig=2200uiEbEFMFz67HvZtzrgHa4eIzRygfqMFj6TblEBo%3D)
Click "+ Add assignments"
Search for the full name you assigned for your app (Grip Security – SSPM), select it, and click "Add"
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A21%3A07Z&se=2025-04-25T14%3A34%3A07Z&sr=c&sp=r&sig=2200uiEbEFMFz67HvZtzrgHa4eIzRygfqMFj6TblEBo%3D)
Step 3 – Upload certificate
On the left sidebar select Certificates & secrets.
Select the Certificates tab.
Click Upload certificate.
On the new right sidebar, upload the certificate you received from Grip.
Enter a description for internal use (optional).
Click Add.
What next? - Post completion requirements
Send Grip the fields you saved in the Create the application step:
Application (client) ID
Directory (tenant) ID
Summary
You have now created your part of the integration. After sending the relevant identifiers to Grip the discovery process will begin. You can get a time estimation from your Grip representative.