Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Create Custom OAuth App in Azure for Copilot

  1. Last updated
  2. Save as PDF
Limited Availability: Microsoft 365 Copilot integration is a feature with limited availability. For assistance, contact Skyhigh Support.

To integrate Skyhigh CASB with Copilot, you must register a new application in the Azure portal and apply the required API permissions to the application:

Register a New Application in Azure

To register a new application in the Azure portal, perform the steps below:

  1. Log in to the Azure portal at https://portal.azure.com/.
  2. Click App registrations.

    Click_App_Registration.png
     
  3. Click New registration.

    Click_New_Registration_New1.png
     
  4. Configure the following details in the registration form, and then click Register:
  • Name. Enter the name of the application. For example, Skyhigh Security Compliance Control.
  • Supported account Types. Select Accounts in this organizational directory only.

    Select options and click Register.png
     
  1. Review the new application properties.

    Review on overview tab.png
     
  2. You must upload a self-signed certificate. Run the following OpenSSL commands in Terminal (macOS) or Command Prompt (Windows) to generate a self-signed certificate, in the sequence shown below:
  • Generate a 2048-bit private key. Enter the command below at the prompt. This creates a private key file named office365OfflineDlpKey.pem. The key length should be 2048.
openssl genrsa -out office365OfflineDlpKey.pem 2048
  • Create a Certificate Signing Request (CSR). Enter the command below at the prompt. You will be prompted to enter details like country, organization name, common name, etc.
openssl req -new -key office365OfflineDlpKey.pem -out office365OfflineDlp.csr
  • Generate a  Self-Signed X.509 certificate with a generated key and signing request. Enter the command below at the prompt. This creates a certificate valid for 10 years (3650 days).
openssl x509 -req -in office365OfflineDlp.csr -signkey office365OfflineDlpKey.pem -out office365OfflineDlp-cert.pem -days 3650
  • Verify the certificate validity dates. Enter the command below at the prompt. These commands display the start and end validity dates of the certificate.
openssl x509 -startdate -noout -in office365OfflineDlp-cert.pem
openssl x509 -enddate -noout -in office365OfflineDlp-cert.pem

The generated certificate, private key, and CSR will be saved on your device. 

  1. Select Certificates & secrets.

    Select certificates and secrets.png
     
  2. On the Certificates tab, click Upload certificate.

    Click Upload certificate.png
     
  3. Upload the recently generated office365OfflineDlp-cert.pem certificate from your device to the Azure portal.
  4. Enter a description for the uploaded certificate, and then click Add.

    Upload certificate_Add.png

    A Thumbprint is generated.

    Thumbprint.png
     
  5. Apply the required API permissions to the application.

You have successfully created a new application in the Azure portal.

Apply API Permissions to the Application

Assign the following permissions to the application for Activity Monitoring and API DLP for prompts and responses.

Microsoft Graph Permission Type
User.Read.All
Chat.Read.All
AiEnterpriseInteraction.Read.All

To apply the required API permissions to the application, perform the following steps:

  1. To add the APIs with the permissions, select API Permissions.
  2. Select Add a permission.

    Click Add permission.png
     
  3. On the Microsoft APIs tab, select Microsoft Graph.

    Microsoft Graoh API.png
     
  4. Select Application permissions.

    Select_2nsstep applicatiopn permission.png
     
  5. In the Search bar, search for the required permission, select the permission type checkbox, and then click Add permissions

NOTE: Ensure that all required permissions are added to the application.

For the illustration, we have added a User.Read.All (Microsoft Graph).

Select permission types.png

  1. Select Grant admin consent for <your organization name> to grant admin consent for all API permissions. 

    Grant Admin Consent - 1.png
     
  2. In the Grant Admin Consent dialog, select the Yes, add other granted permissions to configured permissions option, and then click Save and continue.

    Grant Admin Consent dialog.png
     
  3. Click Grant admin consent.

    Grant Admin consent button.png
     
  4. In the Grant admin consent confirmation dialog, click Yes.

    Select Yes 1.png

    All the API permissions are granted with the admin's consent.

    Granted Image 1.png

Capture Configuration Details for Copilot API Access

You must add the following details while enabling Copilot API in Skyhigh CASB:

  1. Client ID. Go to the Azure portal > App registrations > All applications > select your application > Overview tab, and note down the Client ID.

    Client ID _Screenshot.png
     
  2. Private Key. Private key is the .pem file containing the private key that you created earlier (office365OfflineDlpKey.pem).
  3. Thumbprint. Go to the Azure portal > App registrations > All applications > select your application > Certificates & secrets, and note down the Thumbprint.

    Thumbprint screenshot.png
     
  4. Resource URL. Use the https://<O365TENANTNAME>.sharepoint.com
  5. Admin Email. The email address of an admin user assigned to the services, for example, admin@mycompany.onmicrosoft.com.

To create a Copilot instance in Skyhigh CASB, see Create Copilot Instance in Skyhigh CASB.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
  2. Tags
    This page has no tags.