Before you setup Office Protect


To ensure a smooth onboarding with Office Protect, clients must ensure that their M365 is properly configured to allow the app to operate.

There are 3 potential problems a setup might encounter, each detailed in this article:

  • Multi-Factor Authentication
  • Licensing issues
  • AD Federated Users

Multi-Factor Authentication

Enforcing Multi-Factor Authentication will prevent secmon from connecting to MSOL. Conditional Access Policies can be configured to automatically enforce MFA on new users within certain conditions, which causes secmon’s MFA to be immediately enforced upon creation and prevents the setup from completing.

We can find two types of Conditional Access Policies that can cause problems: 

  • Conditional Access Policies that enable MFA on users (either all users, or Admins)
  • Conditional Access Policies that require MFA when not logging in from trusted locations 

Note: Enabling Security Defaults will not prevent secmon from connecting.

How to fix it

Conditional Access Policies that enable MFA: Create an exclusion rule within the policy to allow secmon to authenticate without MFA. 



  • Select Conditional Access, then click on the policy you want to modify
  • In the Policy, Select User and Groups, then Exclude tab 
  • Check Users and Groups

Une image contenant texte

Description générée automatiquement

Microsoft 365 License

If your tenant has no licenses, Office Protect won’t be able to connect to Exchange, nor Microsoft 365 services, thus will be unable to proceed with the setup.

Sometimes, if you just created your organization, it can take Microsoft a while to recognize it and allow operations on it - up to 3 days in some cases - so if your setup is Stuck at “Start Feed Subscription” and your organization is new, leave it be for a few days. 

AD Federated Users

If your M365 users are federated by your Active Directory, the creation of a user requires an onPremiseImmutableID. As we cannot attribute a value to this field, you must allow the creation of a non-federated user because secmon has to be an Azure AD user.

onPremisesImmutableId: This property is used to associate an on-premises Active Directory user account to their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property.

We recommend that the tenant migrates to ADFS from a Pass-through authentication model, if possible, otherwise, Office Protect won’t be able to create secmon, thus completing the setup.