Required Roles and Permissions

Harmony Email & Collaboration need these roles and permissions to secure all users and remediate all threats.

Required Permissions

Harmony Email & Collaboration require the following permissions from Microsoft.

Permissions required from Microsoft 365

Functions performed by Harmony Email & Collaboration

Create groups

Creating groups while onboarding as part of setting up protection.

Manage Exchange As Application

Used to run PowerShell commands on Exchange elements on behalf of the Check Point application.

Manage all users' identities

Used to block compromised accounts.

Read and write directory data

Used for these:

  • Read users, groups, and other directory data during onboarding.

  • Read updates from Active Directory to influence policy assignments and manage specific user functions and configurations daily.

Read and write domains

In addition to Read Domains, creates a Check Point sub domain while onboarding and uses its certificate to deliver emails back to Microsoft.

Read activity data for your organization

Used for these:

  • Getting user login events, Microsoft Defender events and others to present login activities and detect compromised accounts (Anomalies).

  • Getting Microsoft detection information to present for every email.

Read all audit log data

Used for retrospective audit of login events to detect compromised accounts (Anomalies).

Read all applications

  • Used to read application parameters required for onboarding and off-boarding of the application.

Read all directory RBAC settings

Used to collect users and their roles, in order to scope policies, enforce them and report on these users.

Read and write all directory RBAC settings

Used for these:

  • In addition to Read all directory RBAC settings, assigns a role to the Check Point application while onboarding, so that it can run PowerShell commands.

Read all hidden memberships

Used to collect hidden members of groups, to support policy assignment, policy enforcement and reports on users.

Read all groups

Used for mapping users to groups to properly assign policies to users.

Read contacts in all mailboxes

Used to protect contacts and scope policies for users.

Read domains

Collect protected domains to:

  • Secure domains.

  • Skip inspection and not deliver back to Microsoft emails from other domains.

  • Allow DMARC Management for these domains.

  • Automatic branding of Security Awareness Training end user experience.

Read and write all users' full profiles

Collect all users to protect them and scope policies on users.

Read and write all user mailbox settings

Used for these:

  • Read mailbox rules to detect compromised accounts.

  • Add a mailbox rule as part of the Greymail workflow.

Read and write mail in all mailboxes

Used for these:

  • Enforcing Detect and Remediate policy rules, where emails are quarantined or modified post-delivery.

  • Allowing administrators to quarantine emails that are already in the users mailboxes.

  • Allowing administrators to restore emails to users mailboxes.

  • Baselining communication patterns as part of Learning Mode.

Use Exchange Web Services with full access to all mailboxes

Required to allow running other Microsoft Exchange APIs.

Read and write all group memberships

In addition to Read all groups, when changing the users that are protected inline, a group created by Harmony Email & Collaboration gets automatically adjusted to include the new inline users.

Read all published labels and label policies for an organization

Read Microsoft Sensitivity Labels to be then used as part of the Check Point DLP policy.

Required Application Roles

Harmony Email & Collaboration need these roles during onboarding:

  • Exchange Administrator

  • Privileged Authentication Administrator

Exchange Administrator

Harmony Email & Collaboration uses the Exchange Administrator role to perform these tasks in several methods including running PowerShell commands.

  • Initial onboarding - To configure Mail Flow Rules, Connectors, and additional elements for incoming, internal, and outgoing mail flow, as required to enforce the configured DLP, Threat Detection, and Click-Time Protection policies. For more information, see Automatic Mode Onboarding - Microsoft 365 Footprint.

  • Unified Quarantine - Filter information about emails quarantined by Microsoft and, if required, restore them from the Microsoft quarantine.

  • Track Microsoft Spam Policy - To determine what Microsoft would have done with every email, Harmony Email & Collaboration checks for updates in your configured Microsoft policy for every Spam confidence level (SCL).

  • Integration with Microsoft Encryption - To enable the integration with Microsoft Encryption to support DLP policy rules with the Email is allowed. Encrypted by Microsoft workflow. For more information, see DLP Policy for Outgoing Emails.

  • Automated maintenance - To enhance troubleshooting capabilities and support infrastructure growth.

  • To support new features in the future.

Privileged Authentication Administrator

Harmony Email & Collaboration uses the Privileged Authentication Administrator role to block users and reset their passwords if they are detected as compromised. See Remediating Compromised Accounts.

Microsoft 365 Mail - Approving User

The administrator approving the application must have the Privileged Authentication Administrator role or higher permissions, or you must have the credentials of such an administrator.

Reducing the Assigned Microsoft Application Role

  • Harmony Email & Collaboration uses the Privileged Authentication Administrator role to block accounts that are detected as compromised. This role allows to block every compromised account, even if it is a Global Administrator. For more information, see Remediating Compromised Accounts.

  • After successfully Activating Office 365 Mail, administrators can reduce the Privileged Authentication Administrator role to any of the roles described in this Microsoft article.

  • Once you do that, Harmony Email & Collaboration will only be able to block compromised accounts that the selected role can reset their password (see this Microsoft article).

    Notes:

    • When reducing the application role, make sure to apply the lesser role first (see this Microsoft article) and then remove the more privileged role (see this Microsoft article).

    • If you have connected Harmony Email & Collaboration to Office 365 Mail prior to December 09, 2024, your application might be assigned with the Global Administrator role. You can manually reduce this role to Exchange Administrator, Privileged Authentication Administrator or a lesser role.