When deploying SphereShield as a SaaS solution, the following steps are required by the end customer.
Give permissions to our Azure app. If you intend to only use the Proxy based Ethical-Wall and DLP you will need to give permissions to the Sign In app How to configure the SphereShield Azure App for Sign in and groups? , If you also intend to use the API based Ethical-Wall and DLP (Hybrid mode) you will only need to give permissions to the Compliance app How to configure the SphereShield Azure App for Compliance and Channel Management The Sign-In App is needed purely to access the portal using O365 authentication. The compliance App needs permissions to control communication using MS Graph API. The permissions that are required for the different Apps can be found here. Permissions required for SphereShield Azure app
When using the proxy approach the follwoing steps need to be followed.
2. Forward Proxy servers need to have a certificate that can sign on behalf of Microsoft. All clients Teams traffic is going through the forward proxy and a certificate is required to decrypt this traffic. You can either use AGAT’s certificate or provide your own certificate. If you are going to use AGAT’s certificate, you need to add AGAT CA as a trusted authority on the clients' machines - https://agatsoftware.atlassian.net/wiki/spaces/SFTKB/pages/166658062/Add+AGAT+s+CA+as+a+trusted+Root+CA. If you want to provide your own certificate, the certificate needs to be PFX and include private key and public certificate. The certificate must be trusted by all the client’s machines. the certificate needs to have these addresses in “Subject Alternative Name”
3. Configure PAC file in the clients' machines - https://agatsoftware.atlassian.net/wiki/spaces/SFTKB/pages/166592519/Configure+SphereShield+PAC+file+in+the+PC+s+browser
4. All clients' machines need to have access to *.agatcloud.com to get static scripts (Normally you get them from Microsoft but when Teams traffic is redirected to AGAT server, you need to get those scripts from us)