Synopsis

To ensure a smooth onboarding with Office Protect, clients must ensure that their M365 is properly configured to allow the app to operate.

There are 2 potential problems a setup might encounter, each detailed in this article:

• Licensing issues
• AD Federated Users

Microsoft 365 Licensing

If your tenant has no licenses, Office Protect won’t be able to connect to Exchange, nor Microsoft 365 services, thus will be unable to proceed with the setup.

If your tenant has no Exchange plan/licences, Office Protect won’t be able to enable the audit logs required for the monitoring, thus will be unable to proceed with the setup.

Sometimes, if you just created your organization, it can take Microsoft a while to recognize it and allow operations on it - up to 3 days in some cases - so if your setup is Stuck at “Start Feed Subscription” and your organization is new, leave it be for a few days. 

AD Federated Users

If your M365 users are federated by your Active Directory, the creation of a user requires an onPremiseImmutableID. As we cannot attribute a value to this field, you must allow the creation of a non-federated user because secmon has to be an Azure AD user.

onPremisesImmutableId: This property is used to associate an on-premises Active Directory user account to their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property.  https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0

We recommend that the tenant migrates to ADFS from a Pass-through authentication model, if possible, otherwise, Office Protect won’t be able to create secmon, thus completing the setup. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authentication