Connect Salesforce to Microsoft Cloud App Security
This section provides instructions for connecting Cloud App Security to your existing Salesforce account using the app connector API.
How to connect Salesforce to Cloud App Security
It is recommended to have a dedicated service admin account for Cloud App Security.
Validate that REST API is enabled in Salesforce.
Your Salesforce account must be one of the following editions that include REST API support:
Performance, Enterprise, Unlimited or Developer.
The Professional edition does not have REST API by default, but it can be added on demand.
Check to see that your edition has REST API available and enabled as follows:
Log in to your Salesforce account and go to the Setup page.
Under Manage Users, go to the User Profiles page.
Create a new profile by clicking New.
Choose the profile you just created to deploy Cloud App Security and click Edit. This is the profile to be used for the Cloud App Security service account to set up the App connector.
Make sure you have the following checkboxes enabled:
- API Enabled
- View All Data
- Manage Salesforce CRM Content
- Manage Users
If these are not selected, you may need to contact Salesforce to add them to your account.
If your organization has Salesforce CRM Content enabled, make sure that the current administrative account has it enabled as well.
Go to your Salesforce setup page.
From the side-menu, select Manage Users and then click Users.
Select the current administrative user to your dedicated Cloud App Security user.
Make sure that the Salesforce CRM Content User check box is selected.
If it is not selected, click Edit and then check the check box.
In the Cloud App Security console, click Investigate and then Connected apps.
In the App connectors page, click the plus button followed by Salesforce.
In the Salesforce settings page, on the API tab, click Follow this link, depending on which instance you want to install.
This opens the Salesforce log on page. Enter your credentials to allow Cloud App Security access to your team's Salesforce app.
Salesforce will ask you if you want to allow Cloud App Security access to your team information and activity log and perform any activity as any team member. To proceed, click Allow.
At this point, you will receive a success or failure notice regarding the deployment. Cloud App Security is now authorized in Salesforce.com.
Back in the Cloud App Security console, you should see the Salesforce was successfully connected message.
Make sure the connection succeeded by clicking Test API.
Testing may take a couple of minutes. After receiving a success notice, click Done.
After connecting Salesforce, you will receive Events as follows: Triggers from the moment of connection, Login events and Setup Audit Trail for 60 days prior to connection, EventMonitoring 30 days or 1 day back - depending on your Salesforce EventMonitoring license. The Cloud App Security API communicates directly with the APIs available from Salesforce. Because Salesforce limits the number of API calls it can receive, Cloud App Security takes this into account and respects the limitation. Salesforce APIs send each response with a field for the API counters, including total available and remaining. Cloud App Security calculates this into a percentage and makes sure to always leave 10% of available API calls remaining.
Cloud App Security throttling is calculated solely on its own API calls with Salesforce, not with those of any other applications making API calls with Salesforce. Limiting API calls due to the limitation may slow down the rate at which data is ingested in Cloud App Security, but usually catches up over night.
Salesforce events are processed by Cloud App security as follows:
- Log in events every 15 minutes
- Setup audit trail every 15 minutes
- Salesforce logs track usage activity for a 24-hour period, from 12:00 a.m. to 11:59 p.m. UTC time. Events in Salesforce generate log data in real time. However, log files are generated by Salesforce the day after an event takes place, during nonpeak hours. Therefore, log file data is unavailable for at least one day after an event. For more information about Salesforce events, see Using event monitoring.