Integrations

Microsoft 365

Scan your Microsoft 365 tenant for Exchange security, SharePoint sharing policies, Teams settings, and Purview compliance configurations.

Updated March 20265 min read

On this page

Prerequisites

You need Global Administrator or Security Administrator access in your Microsoft 365 tenant. The integration uses an Entra ID (Azure AD) app registration with Microsoft Graph API permissions for M365 services.

  • Microsoft 365 tenant with admin access
  • Access to the Azure / Entra ID portal (entra.microsoft.com)
  • Microsoft Graph API permissions for M365 services (see below)
  • ComplyWise admin role for configuration

Step-by-Step: Create an Entra ID App Registration

Follow these steps carefully. You will need three values: Application (client) ID, Directory (tenant) ID, and a client secret Value.

  1. 1Sign in to the Microsoft Entra admin center at entra.microsoft.com as a Global Administrator or Application Administrator.
  2. 2Navigate to Applications → App registrations → click + New registration.
  3. 3Enter a display name (e.g. "ComplyWise Scanner"), select "Accounts in this organizational directory only", and click Register.
  4. 4On the Overview page, copy the Application (client) ID — paste this into the Client ID field in ComplyWise.
  5. 5On the same Overview page, copy the Directory (tenant) ID — paste this into the Tenant ID field in ComplyWise.
  6. 6In the left sidebar, click Certificates & secrets → Client secrets tab → + New client secret.
  7. 7Enter a description (e.g. "ComplyWise") and choose an expiration (recommended: 24 months). Click Add.
  8. 8IMPORTANT: Immediately copy the Value column (the long string). This is your client secret. Do NOT copy the Secret ID — that is just an internal identifier and will not work. The Value is only shown once; if you navigate away you must create a new secret.
  9. 9Paste the Value into the Client Secret field in ComplyWise.
  10. 10Next, go to API permissions → + Add a permission → Microsoft Graph → Application permissions, and add the permissions listed below.
  11. 11After adding permissions, click ✓ Grant admin consent for [your tenant] and confirm.

Required API Permissions

Add the following Microsoft Graph application permissions (not delegated) to your app registration. After adding them, you must click "Grant admin consent" for the permissions to take effect.

  • Mail.Read — Exchange transport rules and mail flow settings
  • SharePoint.Read.All — site configurations, sharing policies, external access
  • Team.ReadBasic.All — Teams configuration, guest access policies
  • SecurityEvents.Read.All — Microsoft Defender alerts and incidents
  • Policy.Read.All — conditional access policies, DLP rules
  • Reports.Read.All — usage and security reports

What Gets Scanned

The Microsoft 365 scanner evaluates configuration across Exchange Online, SharePoint Online, Microsoft Teams, and Microsoft Purview. It checks email transport rules for data loss prevention, SharePoint external sharing policies, Teams guest access settings, and compliance center DLP policies.

  • Exchange Online: transport rules, DKIM/DMARC/SPF, anti-phishing policies, audit logging
  • SharePoint Online: external sharing, guest access, site classification, sensitivity labels
  • Teams: guest access policies, meeting policies, messaging policies
  • Purview: DLP policies, retention policies, sensitivity labels, eDiscovery configuration
  • Defender for Office 365: safe attachments, safe links, anti-phishing policies

Configuring in ComplyWise

Navigate to Settings → Integrations → Microsoft 365 in the ComplyWise dashboard. Enter the three values you copied during app registration.

  • Client ID — the Application (client) ID from the app's Overview page
  • Client Secret — the Value from Certificates & secrets (NOT the Secret ID)
  • Tenant ID — the Directory (tenant) ID from the app's Overview page
  • Click Connect — ComplyWise will validate access and begin an initial scan

Common Issues

If the connection test fails, verify these common pitfalls:

  • Wrong secret: Make sure you copied the client secret Value, not the Secret ID. The Value is the long alphanumeric string; the Secret ID is a shorter GUID.
  • Permissions not consented: After adding API permissions, you must click "Grant admin consent". Look for green checkmarks next to each permission.
  • Wrong tenant: Ensure the Tenant ID matches the directory where your M365 subscriptions live.
  • Secret expired: Client secrets expire based on the duration you chose. Create a new one if expired.

Compliance Mapping

Microsoft 365 findings map to data protection, communications security, and information management controls. Email security configurations satisfy communication security controls. SharePoint sharing policies map to data classification and access control requirements.

  • Email security → SOC 2 CC6.6, ISO A.13.2, NIST CSF PR.DS
  • Data sharing controls → HIPAA §164.312(e), PCI DSS 3, CMMC SC
  • DLP and retention → SOC 2 CC6.7, ISO A.8.2, HIPAA §164.530(j)
  • Audit logging → SOC 2 CC7.2, ISO A.12.4, NIST CSF DE.CM
GitHub / Version ControlSOC 2 Type II Guide
← Back to Documentation