Connecting Multiple Portals to the Same Microsoft 365 Account

Sometimes, administrators need to connect multiple Harmony Email & Collaboration tenants to the same Microsoft 365 account.

This might be needed to apply strict categorization of users, where administrators of one tenant do not read emails, files, and messages of users in other tenants.

Use Case

• Large global organization with different branch offices managed by different administrators.

• MSPs hosting multiple small customers on the MSP’s Microsoft 365 account.

Limitations

• If you activated the Office 365 Mail SaaS application in the past not following the procedure below, you cannot connect additional tenants to it.

  • To connect multiple Harmony Email & Collaboration tenants to the same Microsoft 365 account, you must disconnect the existing Office 365 Mail SaaS application from the tenant and connect it again. See Deactivating Office 365 Mail and Connecting Multiple Harmony Email & Collaboration Tenants.

• By default, Harmony Email & Collaboration does not support connecting tenants from different regions (see Regional Data Residency) to the same Microsoft 365 account. If you need this option to be enabled, contact Check Point Support.

• Each tenant must be restricted to a specific group of users (user group). These user groups must be mutually exclusive and no user can be a member of two such groups.

• Currently, Microsoft Teams can be enabled only for one tenant when connecting multiple Harmony Email & Collaboration tenants to the same Microsoft 365 account.

If you need assistance with onboarding, contact our Customer Success Management team at email_security_onboarding@checkpoint.com.

Connecting Multiple Harmony Email & Collaboration Tenants

To connect multiple Harmony Email & Collaboration tenants to the same Microsoft 365 account:

Note - Before connecting the tenants, see the Limitations.

1. From the Getting Started Wizard click Start for Office 365 Mail.

   or

   Navigate to Security Settings > SaaS Applications and click Start for Office 365 Mail.

   

2. Select the mode of operation for Office 365.

   • Automatic mode

     Harmony Email & Collaboration performs the necessary configurations to your Microsoft 365 environment and operates in Monitor only mode. For more information, see Automatic Mode Onboarding - Microsoft 365 Footprint.

   • Manual mode

     You must manually perform the necessary configurations in the Office 365 Admin Exchange Center before you bind the application to your Office 365 email account and every time you add or edit the security policy associated with Office 365 emails. For more information, see Appendix A: Check Point Manual Integration with Office 365.

   Note - Check Point recommends using Automatic mode, allowing better maintenance, management, and smoother user experience. Before using the Manual mode, contact Check Point Support to help resolve any issues raised with the Automatic mode for onboarding.

3. Enable the I Accept Terms Of Service checkbox.

4. If you need to limit the license consumption and protection to a specific group of users or to connect multiple Harmony Email & Collaboration tenants to the same Microsoft 365 account:

   1. Enable the Restrict inspection to a specific group (Groups Filter) checkbox and click OK.

   2. In the Office 365 Authorization window that appears, sign in with a user with Microsoft Global Administrator permissions.

   3. In the authorization screen, click Accept to grant permissions for Check Point Cloud Security Platform - Emails V2 application.

      

   4. In the Office 365 Mail - Group Selection pop-up, select Specific group.

   5. Enter the group name you need to protect with Harmony Email & Collaboration.

      Notes: The group name must have an associated email address. Harmony Email & Collaboration supports these groups for group filtering: Assigned Membership: Microsoft 365 Group Mail-enabled Security Group Distribution List Dynamic Membership: Microsoft 365 Group

   6. If you need to connect multiple Harmony Email & Collaboration tenants to the same Microsoft 365 account, enable the Multiple portals will be connected to this Office 365 account checkbox.

      Caution - Before you enable the checkbox, see Connecting Multiple Portals to the Same Microsoft 365 Account.

      

   7. Click OK.

Now, the Office 365 Mail SaaS is enabled and monitoring begins immediately.

Note - After activating Office 365 Mail, Harmony Email & Collaboration performs retroactive scan of its content. For more information, see Onboarding Next Steps.

Connecting Multiple Tenants to the same Microsoft 365 Account - Microsoft 365 Footprint

As part of the connection to Microsoft 365, Harmony Email & Collaboration creates Mail Flow rules, Connectors, Journaling Rules and Groups.

As part of the automatic connection of multiple Harmony Email & Collaboration tenants to the same Microsoft 365 account, these artifacts will be created separately for each tenant, and their names will include a suffix that serves as a portal identifier.

These artifacts will appear in your Microsoft 365 account once for every connected tenant:

• Mail Flow Rules:

  • Check Point Protect – [portal identifier]

  • Check Point Protect Outgoing – [portal identifier]

• Connectors

  • Check Point Journaling Outbound – [portal identifier]

  • Check Point Outbound – [portal identifier]

  • Check Point DLP Outbound – [portal identifier]

• Journal rule

  • Check Point – Monitor – [portal identifier]

• Groups – a Microsoft group is created for every portal

  • checkpoint_inline_incoming_[portal identifier]

  • checkpoint_inline_outgoing_[portal identifier]

• Distribution list

  • checkpoint_inline_groups_[portal identifier]

For more information about portal identifier, see Portal Identifier of Harmony Email & Collaboration Tenant.