Overview

Prev Next

Storage Monitoring Microsoft 365 Integrations

The Glasswall Halo Storage Monitoring Service integrates with Microsoft 365 storage solutions, enabling automatic sanitization of supported file types as they are uploaded to monitored M365 storage spaces.

Prerequisites

To use M365 Storage Monitoring, ensure the following:

Network Configuration Requirements

This integration requires connectivity to the Microsoft Graph API. To allow Graph API notifications to reach Halo, you must either:

  • Expose a publicly reachable ingress address from your cluster
    or
  • Whitelist Microsoft Graph API IP addresses as listed in Microsoft documentation
    โ†’ See Microsoft 365 IPs, row 23: โ€œMicrosoft Graph Change Notificationsโ€

Required App Registration

To enable Halo to monitor M365 cloud storage, an application must be registered in Microsoft Entra ID with the appropriate Microsoft Graph API permissions.

Note: Youโ€™ll need access to a Microsoft Entra tenant and an account with at least the Cloud Application Administrator role.

You can either follow the steps below to manually create the app registration or use the provided shell script to automate the process.
Before running the script, verify its integrity using the SHA-256 checksum:

sha256 create-azure-app-registrations-storage-monitor.sh

The output must match: bf6196a700195d996a06f2b11caffcb71923b5547dd0f8026f25c7567c5cfa2e.

Register the Application

  1. Sign in to the Microsoft Entra admin center.
  2. If needed, switch to the desired tenant via Settings > Directories + subscriptions.
  3. Go to Identity > Applications > App registrations and select New registration.
  4. Enter a Name for the application.
  5. Under Supported account types, select Accounts in this organizational directory only.
  6. Leave the Redirect URI blank.
  7. Click Register.

After registration, make note of the following from the Overview pane:

  • Application (client) ID
  • Directory (tenant) ID

These values are required during Halo setup.

Generate a Client Secret

  1. Navigate to Certificates & secrets > Client secrets.
  2. Select New client secret.
  3. Provide a description and choose an expiration period (or specify a custom lifetime).
  4. Click Add.
  5. Copy and save the client secret value immediately. You wonโ€™t be able to view it again after leaving the page.

Note: Client secrets expire after 24 months or less. If expired, repeat the steps above to generate a new one.

Configure API Permissions

  1. In the app's API permissions pane, select Add a permission.

  2. Choose Microsoft Graph > Application permissions.

  3. Grant the following permissions:

    • Files.ReadWrite.All
    • For SharePoint:
      • Sites.Read.All
    • For OneDrive:
      • User.ReadBasic.All
  4. Click Add permissions.

  5. If permissions show as Not granted, select Grant admin consent.

Once these steps are complete, you can proceed with deploying Glasswall Halo with Storage Monitoring enabled.