Office 365 (O365) Integration with Grip Security- Posture (SSPM)

Updated
  • Updated on Apr 14, 2025
  • Published on Jan 27, 2025
  • 2 minute(s) read
  • nT

Overview

The O365 integration with Grip enables organizations to gain a comprehensive overview of their security posture relative to their core O365 services – Entra ID, Defender, SharePoint, Teams, and Exchange Online.

Prerequisites

  • An Entra ID admin user with privileges to create enterprise applications. 

  • Public certificate file - Note that this is the same Grip public certificate as the Entra ID certificate for the Grip's main integration.

    If you don't have access to the certificate, please contact your TAM/TCSM, and they will forward it to you.

  • Integrating O365 with Grip Security

  • We recommend reading the "Introduction to Posture Management" article to learn about posture at Grip.

Process stages

  1. Create an application

  2. Grant Permissions

  3. Upload Certificate

  4. Configure integration with Grip

Required Permissions

To perform the discovery process, Grip requires several OAuth permissions from various Microsoft services, plus a given role.

The required permissions are as follows:

Product/Service

Permissions

 Graph API 

  • Directory.Read.All 

  • GroupMember.Read.All,     

  • Organization.Read.All 

  • Policy.Read.All,      

  • RoleManagement.Read.Directory 

  • User.Read.All         

  • PrivilegedEligibilitySchedule.Read.AzureADGroup

  • PrivilegedAccess.Read.AzureADGroup      

  • RoleManagementPolicy.Read.AzureADGroup 

 SharePoint Online 

Sites.FullControl.All 

 Exchange Online (O365)

Exchange.ManageAsApp 

 Identity Roles 

Global Reader 

Defender for Office 365

Global Reader

Microsoft Teams

Global Reader

Pay attention.

The Sites.FullControl.All permission is the minimum required to read admin center configurations for SharePoint Online, as this is a limitation of the API provided by Microsoft. Grip does not utilize the write privileges in its assessments.

 Step 1- Get the "Application ID and Directory ID 

From the application you created during discovery, copy the Application (client) ID and the Directory (tenant) ID. 

Step 2 – Grant permissions – Graph API.

In the left sidebar of the new app’s page, select ” Manage” >> ”API permissions”.  

  • Click ” Add a permission(5).

  • On the new right sidebar, select "Microsoft Graph"(6).  

In the “Request API permissions” Section, select “ Application permissions”(7), then search (8)  and select the following permissions. 

  • Directory.Read.All 

  • GroupMember.Read.All 

  • Organization.Read.All 

  • Policy.Read.All 

  • RoleManagement.Read.Directory 

  • User.Read.All 

  • PrivilegedEligibilitySchedule.Read.AzureADGroup          

  • PrivilegedAccess.Read.AzureADGroup 

  • RoleManagementPolicy.Read.AzureADGroup 

Click the “Add permissions” button (9).  

Step 3 – Grant Permissions – Sharepoint. 

  • Click “Add a permission.” (10) 

  • A drawer will be opened on the right side (as in step 2).

  • Scroll down and select SharePoint (11).

  • Select “Application permissions”. 

  • Select the following permissions – “Sites.FullControl.All” 

  • Click on the “Add permissions” button.  

Step 4 – Grant Permissions – Exchange Online.

  • Click “Add a permission(12).

  • On the right-side panel, select the “APIs my organization uses” tab (13)

  • Search for Office 365 Exchange Online and select the entry with the same name (14)

  • Select “Application permissions (15), then search and select the following permission: Exchange.ManageAsApp (16)

  • Click the ”Add permissions” button (17).  

Note

  • Ensure all  11  permissions have been added to the list. 

  • Sometimes, there will be an extra permission at the beginning – User.Read. This is OK. 

  • Click the ”Grant admin consent for <your org name>” tab (18) and select "Yes"  in the confirmation popup.

Step 5 – Assign user role. 

  • Go to Microsoft Entra roles and administrators in your Entra ID admin panel.

  • Search for Global Reader and select the entry.

  • Click "+ Add assignments"

  • Search for the full name you assigned for your app (Grip Security – SSPM), select it, and click "Add

Step 6 – Upload certificate

  • On the left sidebar, select "Certificates & secrets" (19). 

  • Select the "Certificates" tab (20)

  • Click "Upload certificate" (21)
    On the new right sidebar, upload the certificate you received from Grip

  • Enter a description for internal use (optional).  

  • Click "Add" (22).   

Final Step – Configure Integration with Grip.

On Grip Platform, go to the “Posture” tab >> and click on “Add Tenant.”

  • Select a “Display name (3) for this integration. Note that the name is internal, designed to help you recognize this specific configuration.

  • Enter the credentials you saved during the process (4).

    • Tenant ID” 

    • Client ID

  • Click on “Add Tenant”.

  • The configuration will be added to the Tenants list (5).

  • You can view or manage the integration from the "more actions" (kabab) menu (6).

  • Click on “Add Tenant (7) to add an additional Tenant.

Once the integration is connected, you will be able to see and filter your policy statuses, assess your security posture, and begin fixing it.

Related articles