Before you setup Office Protect
To ensure a smooth onboarding with Office Protect, clients must ensure that their M365 is properly configured to allow the app to operate.
There are 3 potential problems a setup might encounter, each detailed in this article:
- Multi-Factor Authentication
- Licensing issues
- AD Federated Users
Enforcing Multi-Factor Authentication will prevent secmon from connecting to MSOL. Conditional Access Policies can be configured to automatically enforce MFA on new users within certain conditions, which causes secmon’s MFA to be immediately enforced upon creation and prevents the setup from completing.
We can find two types of Conditional Access Policies that can cause problems:
- Conditional Access Policies that enable MFA on users (either all users, or Admins)
- Conditional Access Policies that require MFA when not logging in from trusted locations
Note: Enabling Security Defaults will not prevent secmon from connecting.
How to fix it
Conditional Access Policies that enable MFA: Create an exclusion rule within the policy to allow secmon to authenticate without MFA.
- To do this, go in your Azure AD Portal https://aad.portal.azure.com/
- Click to Azure Active Directory, then click on Security
- Select Conditional Access, then click on the policy you want to modify
- In the Policy, Select User and Groups, then Exclude tab
- Check Users and Groups
- Select secmon in the users to exclude from the Policy, then click on Save
- Add Sherweb’s IPs to your trusted locations: https://helpdesk.sherweb.com/en/support/solutions/articles/67000660197-how-to-set-up-trusted-ips-for-office-protect
Microsoft 365 License
If your tenant has no licenses, Office Protect won’t be able to connect to Exchange, nor Microsoft 365 services, thus will be unable to proceed with the setup.
Sometimes, if you just created your organization, it can take Microsoft a while to recognize it and allow operations on it - up to 3 days in some cases - so if your setup is Stuck at “Start Feed Subscription” and your organization is new, leave it be for a few days.
AD Federated Users
If your M365 users are federated by your Active Directory, the creation of a user requires an onPremiseImmutableID. As we cannot attribute a value to this field, you must allow the creation of a non-federated user because secmon has to be an Azure AD user.
onPremisesImmutableId: This property is used to associate an on-premises Active Directory user account to their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property. https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
We recommend that the tenant migrates to ADFS from a Pass-through authentication model, if possible, otherwise, Office Protect won’t be able to create secmon, thus completing the setup. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authentication