Contents x
Overview
    • PDF
    Contents

    Overview

      • PDF
      Article summary

      Storage Monitoring Microsoft 365 Integrations

      The Glasswall Halo Storage Monitoring Service integrates with Microsoft 365 storage solutions, enabling automatic sanitization of supported file types as they are uploaded to monitored M365 storage spaces.

      Prerequisites

      To use M365 Storage Monitoring, ensure the following:

      Network Configuration Requirements

      This integration requires connectivity to the Microsoft Graph API. To allow Graph API notifications to reach Halo, you must either:

      • Expose a publicly reachable ingress address from your cluster
        or
      • Whitelist Microsoft Graph API IP addresses as listed in Microsoft documentation
        → See Microsoft 365 IPs, row 23: “Microsoft Graph Change Notifications”

      Required App Registration

      To enable Halo to monitor M365 cloud storage, an application must be registered in Microsoft Entra ID with the appropriate Microsoft Graph API permissions.

      Note: You’ll need access to a Microsoft Entra tenant and an account with at least the Cloud Application Administrator role.

      Register the Application

      1. Sign in to the Microsoft Entra admin center.
      2. If needed, switch to the desired tenant via Settings > Directories + subscriptions.
      3. Go to Identity > Applications > App registrations and select New registration.
      4. Enter a Name for the application.
      5. Under Supported account types, select Accounts in this organizational directory only.
      6. Leave the Redirect URI blank.
      7. Click Register.

      After registration, make note of the following from the Overview pane:

      • Application (client) ID
      • Directory (tenant) ID

      These values are required during Halo setup.

      Generate a Client Secret

      1. Navigate to Certificates & secrets > Client secrets.
      2. Select New client secret.
      3. Provide a description and choose an expiration period (or specify a custom lifetime).
      4. Click Add.
      5. Copy and save the client secret value immediately. You won’t be able to view it again after leaving the page.

      Note: Client secrets expire after 24 months or less. If expired, repeat the steps above to generate a new one.

      Configure API Permissions

      1. In the app's API permissions pane, select Add a permission.

      2. Choose Microsoft Graph > Application permissions.

      3. Grant the following permissions:

        • Files.ReadWrite.All
        • For SharePoint:
          • Sites.Read.All
        • For OneDrive:
          • User.ReadBasic.All

      4. Click Add permissions.

      5. If permissions show as Not granted, select Grant admin consent.

      Once these steps are complete, you can proceed with deploying Glasswall Halo with Storage Monitoring enabled.

      Was this article helpful?
      What's Next