Microsoft 365
Microsoft 365 is a cloud-based platform that integrates productivity apps and collaboration tools. This integration supports SaaS Ecosystem visibility, SaaS Security Posture Management (SSPM), Data Loss Prevention (DLP), and Malware Threat Protection capabilities.
Prerequisite
The user that performs the integration must have Global Administrator or Privileged Role Administrator permissions in Microsoft Entra ID (formerly Azure AD).
Required Permissions
To integrate Microsoft 365 with Check Point SaaS Security, the integration requests a predefined set of API permissions during installation.
These permissions allow SaaS Security to collect configuration data, audit logs, activity events, and content metadata required for security monitoring, risk analysis, DLP and malware detection, and enforcement of customer-defined remediation policies.
|
|
Note - All listed permissions are granted as Application permissions and require tenant‑level admin consent during installation. |
Permission Scope Summary
During installation, the Microsoft 365 integration requests a total of 25 application permissions across two API resource servers:
-
Microsoft Graph API – 23 permissions
-
Office 365 Management APIs – 2 permissions
Microsoft Graph API Permissions
| Permission Scope | Type | Description |
|---|---|---|
| AppCatalog.Read.All | Application | Read all app catalogs |
| Application.Read.All | Application | Read all applications |
| Application.ReadWrite.All | Application | Read and write all applications |
| AppRoleAssignment.ReadWrite.All | Application | Manage app permission grants and app role assignments |
| AuditLog.Read.All | Application | Read all audit log data |
| Chat.ReadBasic.All | Application | Read names and members of all chat threads |
| Directory.Read.All | Application | Read directory data |
| Files.Read.All | Application | Read files in all site collections |
| Files.ReadWrite.All | Application | Read and write files in all site collections |
| Place.Read.All | Application | Read all company places |
| Policy.Read.All | Application | Read your organization’s policies |
| Reports.Read.All | Application | Read all usage reports |
| RoleManagement.Read.Directory | Application | Read all directory RBAC settings |
| SharePointTenantSettings.Read.All | Application | Read SharePoint and OneDrive tenant settings |
| Sites.Read.All | Application | Read items in all site collections |
| Sites.ReadWrite.All | Application | Read and write items in all site collections |
| TeamMember.Read.All | Application | Read the members of all teams |
| TeamsAppInstallation.ReadForChat.All | Application | Read installed Teams apps for all chats |
| TeamsAppInstallation.ReadForTeam.All | Application | Read installed Teams apps for all teams |
| TeamsAppInstallation.ReadForUser.All | Application | Read installed Teams apps for all users |
| User.Read.All | Application | Read all users’ full profiles |
| User.ReadWrite.All | Application | Read and write all users’ full profiles |
| UserAuthenticationMethod.Read.All | Application | Read all users’ authentication methods |
Office 365 Management API Permissions
| Permission Scope | Type | Description |
|---|---|---|
| ActivityFeed.Read | Application | Read activity data for your organization |
| ActivityFeed.ReadDlp.Read | Application | Read DLP policy events including detected sensitive data |
Integrating Microsoft 365
Microsoft 365 uses OAuth2 authorization to integrate with SaaS Security. OAuth2 authorization is a protocol that allows users to grant third-party applications limited access to their resources without sharing their credentials.
|
|
Note - The integration is disabled if the Global Administrator or Privileged Role Administrator is no longer associated with the user who installed it. For example, when the user leaves the organization. |
To integrate Microsoft 365 with SaaS Security:
-
Log in to the SaaS Security Administrator Portal.
-
From the top banner, click Integration Manager.
-
In the Microsoft widget, click Connect.
The Microsoft window opens.

-
Click Connect.
The Sign in to your account window opens.
-
Select your account with the administrator privileges.
-
Review the permissions for SaaS Security and click Accept.
In the SaaS Security Administrator Portal, the Successfully connected message appears.

