Required Roles and Permissions

Harmony Email & Collaboration needs these roles and permissions to secure all users and remediate all threats.

Required Permissions

Harmony Email & Collaboration require the following permissions from Microsoft.

Note - Some of these permissions seem duplicate and share the same functions. This is because these are permissions to different sets of Microsoft APIs that are used in different scenarios and at times as backup to each other.

Permissions required from Microsoft 365

Functions performed by Harmony Email & Collaboration

Manage Exchange As Application

Used for Automatic mode setup. It is needed for PowerShell access to create items not available through API (Journal Entries/Connectors/Mail Flow Rules).

Access directory as the signed in user

Used for these:

  • Mapping users to groups to properly assign policies to users.

  • Baselining the active users to detect impersonation attempts.

  • Mapping users to titles, departments and more to determine if a user is a VIP user or not.

Read and write directory data

Read activity data for your organization

Used for these:

  • Getting user login events, Microsoft Defender events and others to present login activities and detect compromised accounts (Anomalies).

  • Getting Microsoft detection information to present for every email.

Read all audit log data

Used for retrospective audit of login events to detect compromised accounts (Anomalies).

Read all applications

Used to support the DLP workflow that triggers the Microsoft encryption.

Read and write all directory RBAC settings

Used for these:

  • Automatic mode setup. It is needed for PowerShell access to create items not available through API (Journal Entries/Connectors/Mail Flow Rules).

  • Used to allow administrators to disable users or reset their password.

Read and write all groups

Used for mapping users to groups to properly assign policies to users.

Groups are created and users are assigned to them to apply Prevent (Inline) policy rules.

Read and write all groups (preview)

Read and write all users' full profiles

Used for these:

  • Mapping users to groups to properly assign policies to users.

  • Allow administrators to disable users or reset their password.

Read and write all user mailbox settings

Used for continuously monitoring mailbox settings to detect indications for account compromising, such as MFA settings, forwarding rules and many more.

Read and write mail in all mailboxes

Read and write contacts in all mailboxes

Used for baselining social graphs and communication patterns for accurate phishing detections.

Read and write user and shared mail

Used for these:

  • Enforcing Detect and Remediate policy rules, where emails are quarantined/modified post-delivery.

  • Allowing administrators to quarantine emails that are already in the users' mailboxes.

  • Baselining communication patterns as part of Learning Mode.

  • Retroactive scan of emails already in users' mailboxes immediately after onboarding.

Read and write user mail

Use Exchange Web Services with full access to all mailboxes

Send mail as a user

Used for sending notifications to end-users in scenarios that technically SMTP delivery is not available. This includes phishing, malware and DLP notifications.

Send mail as any user

Send mail on behalf of others

Read service health information for your organization

Reserved for future releases.

Required Role - Global Administrator

Harmony Email & Collaboration uses the Global Admin role to perform these tasks in several methods including running PowerShell commands.

  • Initial onboarding - To configure Mail Flow Rules, Connectors, and additional elements for incoming, internal, and outgoing mail flow, as required to enforce the configured DLP, Threat Detection, and Click-Time Protection policies. For more information, see Automatic Mode Onboarding - Microsoft 365 Footprint.

  • Unified Quarantine - Filter information about emails quarantined by Microsoft and, if required, restore them from the Microsoft quarantine.

  • Track Microsoft Spam Policy - To determine what Microsoft would have done with every email, Harmony Email & Collaboration checks for updates in your configured Microsoft policy for every Spam confidence level (SCL).

  • Integration with Microsoft Encryption - To enable the integration with Microsoft Encryption to support DLP policy rules with the Email is allowed. Encrypted by Microsoft workflow. For more information, see DLP Policy for Outgoing Emails.

  • Automated maintenance - To enhance troubleshooting capabilities and support infrastructure growth.

  • To support new features in the future.

Changing the Microsoft Application Role

After successfully onboarding the Office 365 Mail SaaS application to Harmony Email & Collaboration, the administrator can change the roles assigned to the Check Point application without losing any functionality.

To do that, the administrator must assign the Exchange Admin role along with any of these roles that block users and reset their passwords for the application.

  • Authentication Admin

  • User Admin

  • Password Admin

Note - For users with higher privileges, these roles might not block or reset their passwords. To view the roles that allows to block or reset password of users, see Microsoft documentation.

To change the application role to Exchange Admin, do these:

  1. Add Check Point Cloud Security Platform - Emails V2 application to the Exchange Admin role and the additional user blocking role. For more information, see Microsoft documentation.

  2. Remove Check Point Cloud Security Platform - Emails V2 application from the Global Admin role. For more information, see Microsoft documentation.