Before you begin provisioning, follow these steps to make sure that Control access from apps that don't use modern authentication is correctly set on the Office 365 admin center. Do the following:

1. Go to Office 365 Admin Center.
2. Click the Admin icon on the home page.
3. Go to Admin centers > SharePoint from the left navigation.

   

   ^{Click the image to enlarge.}

4. Click Access control, and then click Apps that don't use modern authentication.

   

   ^{Click the image to enlarge.}

5. Select Allow access, click Save, and then wait for around 30 minutes for the changes to take effect.

   

   ^{Click the image to enlarge.}

Cloud App Security uses a single SharePoint Online Delegate Account for both SharePoint Online and OneDrive. If you have already manually provisioned the Delegate Account for one of the two services, you do not need to create a Delegate Account and change the Delegate Account password again. Based on which service you are manually provisioning at the moment, visit the following references:

• Verifying the Delegate Account and
• Managing SharePoint Online Site Collections
• Managing OneDrive Site Collections

To create a Delegate Account:

1. Log in to the Microsoft 365 Admin Center with your Global Administrator account.
2. Go to Users > Active users from the left navigation, and then click Add a user.

   

   ^{Click the image to enlarge.}

3. Specify the following account information and then click Add.
   • First name, Last name, Display name, User name and Password of the delegate account. For the Password, keep the default setting.

     

     ^{Click the image to enlarge.}

   • Product licenses: Enable Create user without product license by moving the slider to the right.

     

     ^{Click the image to enlarge.}

   • Roles: Keep the default setting.

     

     ^{Click the image to enlarge.}

4. Take note of the Delegate Account user name and password.
5. Click Finish Adding.

1. Sign in to Office 365 using the new Delegate Account credentials.
2. Click the Settings icon and then choose Password.
3. On the Change Password screen, change the temporary Delegate Account password to a permanent one.
4. Click Submit.

Complete this task if you license the SharePoint Online service.

1. Log in to the Microsoft 365 admin center with your Global Administrator account.
2. Go to Admin centers > SharePoint from the left navigation.
3. From the left navigation, click Site Collections.
4. Add site collections.
    

   Repeat this procedure to add additional site collections.

    
   1. Select one URL to protect.
   2. From the banner on the upper area, go to Owners > Manage Administrators.
   3. In the Site Collection Administrators text box at the bottom, specify an existing Delegate Account and then click the account check icon to verify its identity:
      • To find a Delegate Account: click the Address Book, select Tenant, and then click the magnifying glass to look for existing accounts.
      • To create a Delegate Account: see Creating a Delegate Account.
   4. Click OK.
5. Go back to the Delegate Account (Manually) tab on the Cloud App Security management console, scroll down to the bottom, add the SharePoint Online site collection URLs to protect one by one in the URL text box, and then click Add.
6. Click Submit.
7. Hover over the ring icon in the upper-right corner of the management console. If the message "SharePoint Online protected" appears on the Notifications screen, the provisioning is successful.

Complete this task if you license the OneDrive service.

1. Log on to the Microsoft 365 admin center with your Global Administrator account.
2. Go to Admin centers > SharePoint from the left navigation.
3. From the left navigation, click User Profiles.
4. Add site collections.
    

   Repeat this procedure to add other site collections.

    
   1. Under People, click Manage User Profiles.
   2. Find user profiles by specifying a user name in the Find profiles search box.
   3. Right-click the profile, and select Manage site collection owners.
   4. In the Site Collection Administrators text box at the bottom, specify an existing Delegate Account and then click the account check icon to verify its identity:
      • To find a Delegate Account: click the Address Book, select Tenant, and then click the magnifying glass to look for existing accounts.
      • To create a Delegate Account: see Creating a Delegate Account.
   5. Click OK.
5. Go back to the Delegate Account (Manually) tab on the Cloud App Security management console, scroll down to the bottom, and then click Submit.
6. Hover over the ring icon in the upper-right corner of the management console. If the message "OneDrive protected." appears on the Notifications screen, the provisioning is successful.