Connect Salesforce to Microsoft Cloud App Security

This article provides instructions for connecting Microsoft Cloud App Security to your existing Salesforce account using the app connector API. This connection gives you visibility into and control over Salesforce use. For information about how Cloud App Security protects Salesforce, see Protect Salesforce.

How to connect Salesforce to Cloud App Security

  1. It's recommended to have a dedicated service admin account for Cloud App Security.

  2. Validate that REST API is enabled in Salesforce.

    Your Salesforce account must be one of the following editions that include REST API support:

    Performance, Enterprise, Unlimited, or Developer.

    The Professional edition doesn't have REST API by default, but it can be added on demand.

    Check to see that your edition has REST API available and enabled as follows:

    • Sign in to your Salesforce account and go to the Setup page.

    • Under Manage Users, go to the User Profiles page.

      salesforce manage users profiles

    • Create a new profile by clicking New.

    • Choose the profile you just created to deploy Cloud App Security and click Edit. This profile will be used for the Cloud App Security service account to set up the App connector.

      salesforce edit profile

    • Make sure you have the following checkboxes enabled:

      • API Enabled
      • View All Data
      • Manage Salesforce CRM Content
      • Manage Users
      • Query All Files

      If these checkboxes aren't selected, you may need to contact Salesforce to add them to your account.

  3. If your organization has Salesforce CRM Content enabled, make sure that the current administrative account has it enabled as well.

    1. Go to your Salesforce setup page.

      salesforce setup

    2. From the side-menu, select Manage Users and then click Users.

      salesforce menu users

    3. Select the current administrative user to your dedicated Cloud App Security user.

    4. Make sure that the Salesforce CRM Content User check box is selected.

      If it isn't selected, click Edit and then check the check box.

      salesforce crm content user

    5. Under Session Settings, make sure that the select Lock sessions to the IP address from which they originated check box is not selected.

      salesforce session settings

    6. Click Save.

  4. In the Cloud App Security console, click Investigate and then Connected apps.

  5. In the App connectors page, click the plus button followed by Salesforce.

    connect salesforce

  6. In the Salesforce settings page, on the API tab, click Follow this link, depending on which instance you want to install.

  7. This opens the Salesforce sign in page. Enter your credentials to allow Cloud App Security access to your team's Salesforce app.

    salesforce sign-in

  8. Salesforce will ask you if you want to allow Cloud App Security access to your team information and activity log and perform any activity as any team member. To proceed, click Allow.

  9. At this point, you'll receive a success or failure notice for the deployment. Cloud App Security is now authorized in

  10. Back in the Cloud App Security console, you should see the Salesforce was successfully connected message.

  11. Make sure the connection succeeded by clicking Test API.

    Testing may take a couple of minutes. After receiving a success notice, click Done.

After connecting Salesforce, you'll receive Events as follows: Triggers from the moment of connection, Log in events, and Setup Audit Trail for 60 days prior to connection, EventMonitoring 30 days, or 1 day back - depending on your Salesforce EventMonitoring license. The Cloud App Security API communicates directly with the APIs available from Salesforce. Because Salesforce limits the number of API calls it can receive, Cloud App Security takes this into account and respects the limitation. Salesforce APIs send each response with a field for the API counters, including total available and remaining. Cloud App Security calculates this into a percentage and makes sure to always leave 10% of available API calls remaining.


Cloud App Security throttling is calculated solely on its own API calls with Salesforce, not with those of any other applications making API calls with Salesforce. Limiting API calls due to the limitation may slow down the rate at which data is ingested in Cloud App Security, but usually catches up over night.

Salesforce events are processed by Cloud App security as follows:

  • Sign-in events every 15 minutes
  • Setup audit trails every 15 minutes
  • Event logs every 1 hour. For more information about Salesforce events, see Using event monitoring.

If you have any problems connecting the app, see Troubleshooting App Connectors.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.