Ask the community

Microsoft Office 365 Integrations - Privileges and Roles


Microsoft Office 365 Integrations - Privileges and Roles


Hello good afternoon Netskope community.


A doubt, to make SCIM integration with AzureAD for Users/Groups privisioning, with an Azure-AD user having the Application Administrator Role, he can manage enterprise applications for example SCIM and SSO usage for UI administration.


Now I can't find the exact role, privilege and/or permissions or permissions that are required for an account to integrate with Onedrive, with Outlook, with Sharepoint, via API to be able to use API protection It speaks of "Global Administrator", please can you confirm me exactly the granular role that allows an account to perform this type of integration between Netskope and Office 365, I already tried with the same Role Application Administrator and does not allow me.


Azure AD built-in roles:


Thanks to all of you for your time, collaboration and good work.



3 Replies 3

Hello @MetgatzNK,


The user granting permissions must be a Global Administrator at the time that they grant access.   The reason for this can be found at:


"In particular, the global admin is the only user that can delegate access for application-level permission (as opposed to user level permissions). You can find additional Microsoft documentation on how all these work here. Furthermore, global admin credential is required for Graph and Office 365 Management APIs. Post-grant, Netskope is independent of the granting account for policy processing."


However, you can downgrade this administrative user following the grant depending on what you have enabled.  Information on this can be found at:

I hope this helps but please let me know if you have any additional questions. 

Sam Shiflett
Netskope Solution Architect - North America

Hello @sshiflett 


Thank you for your cooperation, your answer and your time.


For the SCIM issue between Netskope and Azure to provision users with the Application Administrator Role, I was able to perform without problem this.


Now then for what you tell me, for the API, protection, then yes or yes, the Global Administrator role is required ?


I remain attentive, thank you


Best regards

@MetgatzNK apologies for the delay.  Your understanding is correct.  You do not need a Global Administrator for the SCIM integration as it leverages an OAUTH integration via a Netskope endpoint and a token.  A Global Administrator is required when granting access to Office365 for API-based protection.  

Sam Shiflett
Netskope Solution Architect - North America

In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below

Sign In