Usage


This optional feature, available in environments with Business+, Advanced+ or Professional+ licenses, allows administrators and authorized users to pull, from a user's Microsoft 365 mailbox, any emails that are suspected of being malicious or otherwise undesirable. If necessary, for example if the email is determined to be legitimate, the administrator can restore the message to the user's mailbox.


Requirements


  • This feature is only available on the following packages:
    • Business+
    • Advanced+
    • Professional+
  • One-Click Message Pull is currently only compatible with O365 environments
  • The O365 account setting up One-Click Message Pull must have global administrator rights.


If you are using the standard Business, Advanced, or Professional packages, skip this step.


Enable One-Click Message Pull in Proofpoint


  • In the Proofpoint portal, navigate to Account Management > Features
  • Check the box for "Enable One Click Removal," then click Save


If the Proofpoint Azure AD Sync is already enabled: Update Existing App Registration


  • Log into the Azure Active Directory admin center (https://aad.portal.azure.com/) as a global administrator
  • On the left side of the screen, click Azure Active Directory
  • Navigate to App Registrations, then click the name of your existing app registration for the Proofpoint Essentials Azure AD Sync
  • Navigate to API Permissions > Add a permission
  • Select Microsoft Graph > Application Permissions, then set the following:
    • Under the Mail tab, select Mail.ReadWrite
    • Click “add permissions” at the bottom of the page when finished
  • Click “Grant admin consent for [your organization]”


After saving these changes in Azure, you should now be able to retract delivered emails from the Log Search page.


If you want One-Click Message Pull but don't want the Azure AD Sync: Create New App Registration


  • Log into the Azure Active Directory admin center (https://aad.portal.azure.com/) as a global administrator.
  • On the left side of the screen, click Azure Active Directory
  • Navigate to App Registrations > New Registration



  • Set a name to help identify this application such as “Proofpoint One-Click Message Pull
  • Leave the "Supported account types" field as "Accounts in this organizational directory only ([your organization] only - Single tenant)
  • Set the platform to Web, then fill in the Redirect URI field depending on your region
  • Click “Register”  at the bottom of the page



  • Copy the Application Client ID. This is needed later, so it is recommended to paste it somewhere such as in a Notepad window.



  • Navigate to API Permissions > Add a permission



  • Select Microsoft Graph > Application Permissions, then set the following:
    • Under the Mail tab, select Mail.ReadWrite
    • Click “add permissions” at the bottom of the page when finished



  • Click “Grant admin consent for [your organization]”
  • On the left, click “Certificates and Secrets” > New client secret



  • Set the name to “Proofpoint One-Click Message Pull”
  • Set the expiration date for 2 years
  • Copy the secret key’s value, NOT the “Secret ID.”



Once this app registration is created in Azure, you can propagate this over to Proofpoint without syncing your mailboxes using the following steps:


  • Navigate to User Management > Import & Sync > Azure Directory Sync
  • Paste in your domain name as well as the Application Client ID and the Client Secret Key (value) copied from Azure into the relevant fields.



  • Uncheck all of the options under What to Sync, How to sync, and Groups.



  • Set the sync frequency to Never.



  • Click Save at the bottom of the page to both make sure the entered values are correct and retain the changes.


Proceed to next step: Configure O365 for Proofpoint