Connect Salesforce to Microsoft Defender for Cloud Apps
Note
Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender, which correlates signals from across the Microsoft Defender suite and provides incident-level detection, investigation, and powerful response capabilities. For more information, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
This article provides instructions for connecting Microsoft Defender for Cloud Apps to your existing Salesforce account using the app connector API. This connection gives you visibility into and control over Salesforce use. For information about how Defender for Cloud Apps protects Salesforce, see Protect Salesforce.
Use this app connector to access SaaS Security Posture Management (SSPM) features, via security controls reflected in Microsoft Secure Score. Learn more.
How to connect Salesforce to Defender for Cloud Apps
Note
Salesforce Shield should be available for your Salesforce instance as a prerequisite for this integration.
It's recommended to have a dedicated service admin account for Defender for Cloud Apps.
Validate that REST API is enabled in Salesforce.
Your Salesforce account must be one of the following editions that include REST API support:
Performance, Enterprise, Unlimited, or Developer.
The Professional edition doesn't have REST API by default, but it can be added on demand.
Check to see that your edition has REST API available and enabled as follows:
Sign in to your Salesforce account and go to the Setup Home page.
Under Administration -> Users, go to the Profiles page.
Create a new profile by selecting New Profile.
Choose the profile you just created to deploy Defender for Cloud Apps and select Edit. This profile will be used for the Defender for Cloud Apps service account to set up the App connector.
Make sure you have the following checkboxes enabled:
- API Enabled
- View All Data
- Manage Salesforce CRM Content
- Manage Users
- Query All Files
- Modify Metadata Through Metadata API Functions
If these checkboxes aren't selected, you may need to contact Salesforce to add them to your account.
If your organization has Salesforce CRM Content enabled, make sure that the current administrative account has it enabled as well.
Go to the Salesforce Setup Home page.
Under Administration -> Users, go to the Users page.
Select the current administrative user to your dedicated Defender for Cloud Apps user.
Make sure that the Salesforce CRM Content User check box is selected.
Go to Setup Home -> Security -> Session Settings. Under Session Settings, make sure that Lock sessions to the IP address from which they originated check box is not selected.
Select Save.
Go to Build -> Customize -> Salesforce Files -> Settings -> Content Deliveries and Public Links.
Select Edit and then select Checked Content Deliveries feature can be enabled for users
Select Save.
Note
The Content Deliveries feature needs to be enabled for Defender for Cloud Apps to query file sharing data. For more information, see ContentDistribution.
How to connect Defender for Cloud Apps to Salesforce
In the Defender for Cloud Apps console, select Investigate and then Connected apps.
In the App connectors page, select +Connect an app followed by Salesforce.
In the next window, give the connection a name and select Next.
In the Follow the link page, select Connect Salesforce.
This opens the Salesforce sign in page. Enter your credentials to allow Defender for Cloud Apps access to your team's Salesforce app.
Salesforce will ask you if you want to allow Defender for Cloud Apps access to your team information and activity log and perform any activity as any team member. To continue, select Allow.
At this point, you'll receive a success or failure notice for the deployment. Defender for Cloud Apps is now authorized in Salesforce.com.
Back in the Defender for Cloud Apps console, you should see the Salesforce was successfully connected message.
In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors. Make sure the status of the connected App Connector is Connected.
After connecting Salesforce, you'll receive Events as follows: Log in events and Setup Audit Trail for 60 days prior to connection, EventMonitoring 30 days, or 1 day back - depending on your Salesforce EventMonitoring license. The Defender for Cloud Apps API communicates directly with the APIs available from Salesforce. Because Salesforce limits the number of API calls it can receive, Defender for Cloud Apps takes this into account and respects the limitation. Salesforce APIs send each response with a field for the API counters, including total available and remaining. Defender for Cloud Apps calculates this into a percentage and makes sure to always leave 10% of available API calls remaining.
Note
Defender for Cloud Apps throttling is calculated solely on its own API calls with Salesforce, not with those of any other applications making API calls with Salesforce. Limiting API calls due to the limitation may slow down the rate at which data is ingested in Defender for Cloud Apps, but usually catches up over night.
Note
If your Salesforce instance is not in English, make sure to select the appropriate language attribute value for the integration service admin account.
To change the language attribute, navigate to Administration -> Users -> User and open the integration system admin account. Now navigate to Locale Settings -> Language and select the desired language.
Salesforce events are processed by Defender for Cloud Apps as follows:
- Sign-in events every 15 minutes
- Setup audit trails every 15 minutes
- Event logs every 1 hour. For more information about Salesforce events, see Using event monitoring.
If you have any problems connecting the app, see Troubleshooting App Connectors.
Next steps
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.
Feedback
Submit and view feedback for