Breadcrumbs

Add MS Defender for Cloud Apps

Task List

Task #

Task

Performed by

0

Decide the App Registration approach

Azure Admin

1

Prepare Defender for Cloud Apps for use with CI Sync

Azure Admin

2

Understand the CI Sync RecVer Database

SQL DBA
Infrastructure SME

3
SQL

Create a Source System Connection using the CI Sync Agent Config Utility with a SQL RecVer DB

Infrastructure SME
CI Sync Admin

3
Mongo

Or, Create a Source System Connection using the CI Sync Agent Config Utility with a MongoDB RecVer DB (if supported)

Infrastructure SME
CI Sync Admin

4

Finalise Settings in the CI Sync SaaS UI

CI Sync Admin

5

Perform Updates in ServiceNow (if required)

ServiceNow Admin

Task 0: Configure Defender for Cloud Apps to Discovery Cloud Applications

Cloud Discovery (which is a key component of Defender for Cloud Apps) analyzes traffic logs against the Microsoft Defender for Cloud Apps catalog (which consists of over 30,000 cloud applications). The apps are ranked and scored based on more than 90 risk factors. This allows organisations to understand the following:

  1. The inventory of Cloud Applications in use across the organisation.

  2. Which users are access each Cloud Application.

  3. The Cloud Application hosting provider/platform (e.g. is the Cloud App hosted in Azure, AWS, GCP, etc).

  4. Other metadata about the Cloud Application including total number of users, risk assessment/score, physical hosting location (to country level in most cases), various other legal and compliance information gathered and analysed by Microsoft.

Customers need to configure Cloud Discovery in Defender for Cloud Apps before using CI Sync to synchronize the related data into their ServiceNow CMDB.

Syncfish recommend customers read the Microsoft Defender for Cloud Apps documentation repository to build a repository of Cloud Discovery that can be used by CI Sync. Please read:

  1. Read the following article for a complete overview of Defender for Cloud Apps: https://learn.microsoft.com/en-us/defender-cloud-apps/

  2. Read the following article for information specific to Cloud App Discovery: https://learn.microsoft.com/en-us/defender-cloud-apps/set-up-cloud-discovery

The second article above (on Cloud App Discovery) explains the use of Snapshot and Continuous Risk Assessment Reports. These risk assessment reports form the basis of the data that CI Sync reads from Defender for Cloud Apps. As such, these are a key topic to understand when getting started with the CI Sync connector for Defender for Cloud Apps.

Important: Default Risk Assessment Report used by CI Synchronizer

By default, CI Sync uses the Microsoft Defender for Endpoint risk assessment report (which is defined by Microsoft as a “continuous risk assessment report”).

Customers wanting to use other risk assessment reports in Defender for Cloud Apps should contact Syncfish to amend the default behaviour of CI Sync.

Task 1: Prepare Defender for Cloud Apps for use with CI Sync

Context Notes

In Azure ADD (AAD) an App Registration is used to define a Service Principal for the purpose of authenticating a source application to a destination system/application.

The App Registration created in this section relates to the Defender for Cloud Apps Source Connection created within the CI Sync Agent. 

This Defender for Cloud Apps specific App Registration is different (and unrelated) to the App Registration for the CI Sync Agent itself that was create in S3 - Create an Entra ID App Registration for CI Sync Agent Authentication)


CI Sync requires an App Registration in Entra ID so your CI Sync Agent can authenticate and read the Defender for Cloud Apps data used by this CI Sync connector.

There are two options for the App Registration:

  1. Option 1 - You create a new App Registration object in Entra ID specifically for the purpose of this CI Sync connector for Defender for Cloud Apps.

  2. Option 2 - If you have an existing App Registration being used by the CI Sync Defender for Endpoint connector, you can extend the permissions of the existing Defender for Endpoint App Registration (i.e. extend the permissions of the existing App Registration and reuse it when setting up the CI Sync Connector for Defender for Cloud Apps).

Follow the relevant instructions below for either Option 1 (a new App Registration) or Option 2 (reuse an existing Defender for Endpoint App Registration).

Click to expand instructions for Option 1 (create a new App Registration for Defender for Cloud Apps for CI Sync)

  1. In the Azure Portal, navigate to Azure Active Directory -> App Registrations and click New Registration

CleanShot 2025-04-04 at 13.56.22@2x-20250404-025640.png

  1. On the Register an application form complete as follows:

    1. Enter the Name (Note: Syncfish recommend using “CI Sync Agent Connector for Defender for Cloud Apps”)

    2. Under Supported account types select “Accounts in this organizational directory only ({Your Domain/Tenant Name} only - Single tenant)”

    3. Click Register

CleanShot 2025-09-24 at 14.18.29@2x-20250924-041855.png

  1. Navigate to API permissions and click Add Permission

CleanShot 2025-09-24 at 14.19.25@2x-20250924-041937.png

  1. Click on Microsoft APIs and then select “Microsoft Graph

CleanShot 2025-09-24 at 14.20.13@2x-20250924-042028.png

  1. Click Application permissions, then

    1. Enter “cloudapp” into the Select permissions search box.

    2. Locate and expand the CloudApp.Discovery permission group.

    3. Then tick “CloudApp-Discovery.ReadAll

    4. Finally click Add permission.

CleanShot 2025-09-24 at 14.21.40@2x-20250924-042202.png


  1. You should now be back on the API Permissions form showing the list of permissions you selected (see screen shot below to validate you have selected the required permissions).

  2. Now, Click Grant admin consent for {Your Domain Name}

CleanShot 2025-09-24 at 14.22.41@2x-20250924-042303.png


  1. Click Yes to confirm granting Admin Consent.  The resulting screen should look as shown below.

CleanShot 2025-09-24 at 14.23.36@2x-20250924-042352.png

  1. Using the left-hand menu, navigate and select Certificates & secrets.  Select “Client secrets (0)” in the middle of the form and then click the “New client secret” button.

CleanShot 2025-09-24 at 14.24.28@2x-20250924-042442.png

  1. Enter a unique Description for the secret associated with this CI Sync Agent Connector for Defender for Cloud Apps App Registration (e.g. “CI Sync Agent Connector for Defender for Cloud Apps Client Secret”).

  2. Then, select a suitable Expires duration based on your organisational policy.  Finally click the Add button.

CleanShot 2025-09-24 at 14.25.29@2x-20250924-042551.png

Guidance Note

It is recommended you set a reminder prior to the expiry date of the Secret (i.e. a reminder to regenerate in Azure and then update the secret in the CI Sync Agent Config Utility).


  1. The form now displays the generated secret value (shown in the Value field). Use the copy option to make a copy of the value in the Value field.

CleanShot 2025-09-24 at 14.27.08@2x-20250924-042837.png

Data Capture Note

  1. The Value is only available while you remain on this screen. You must make a copy of the Value before leaving this form.

  2. Make sure you copy the “Value” and NOT the “Secret ID”.

Make sure the secret stored securely and in a way that can be shared with the CI Sync Admin so they can use it when the follow the instructions later in this page.

  1. Return to the Overview page for the App Registration.

  2. Use the copy option to make a copy of the “Application (client) ID” GUID value and the “Directory (tenant) ID” GUID value.

CleanShot 2025-09-24 at 14.29.07@2x-20250924-043058.png

You have now granted the App Registration object (i.e. the CI Sync Agent Connector for Defender for Cloud Apps) read permissions to MS Defender for Cloud Apps which will allow you to use the CI Sync User Interface to schedule synchronization jobs using that same Defender for Cloud Apps as a synchronization source.

Data Capture Summary

As a reminder, you should have captured the following information when completing the above steps.

  1. The Secret Value (from Step 13 above). This is the Client Secret value.

  2. The Application (client) ID (from Step 15 directly above).

  3. The Directory (tenant) ID (also from Step 15 directly above).

Make sure any secrets or sensitive information is stored securely and in a way that can be shared with the CI Sync Admin.

The above information will be needed by the CI Sync Admin when they follow the instructions in Task 3 further below.

Click to expand instructions for Option 2 (reuse the existing App Registration you created for Defender for Endpoint for CI Sync App)

Option 2 Instructions - reuse your existing Defender for Endpoint App Regisration to implement CI Sync for Defender for Cloud Apps


  1. In the Azure Portal, navigate to Azure Active Directory -> App Registrations and search for/locate the existing one for Defender for Endpoint (it should be named something like “CI Sync Agent Connector for Defender for Endpoint“).

  2. Click on the App Registration to open the Overview page.

CleanShot 2025-09-24 at 13.42.27@2x-20250924-034504.png

Data Capture Note

While on the Overview page, capture the following two values as these will be needed by the CI Sync Admin when they perform tasks later in this process.

  1. Capture the Application (client) ID

  2. Capture the Directory (tenant) ID


  1. Navigate to API permissions and click Add a Permission

CleanShot 2025-09-24 at 13.48.38@2x-20250924-034858.png

  1. Click on Microsoft APIs and then select “Microsoft Graph

CleanShot 2025-09-24 at 13.52.02@2x-20250924-035337.png

  1. Click Application permissions, then

    1. Enter “cloudapp” into the Select permissions search box.

    2. Locate and expand the CloudApp.Discovery permission group.

    3. Then tick “CloudApp-Discovery.ReadAll

    4. Finally click Add permission.

CleanShot 2025-09-24 at 13.52.52@2x-20250924-035536.png


  1. You should now be back on the API Permissions form showing the list of permissions you selected (see screen shot below to validate you have selected the required permissions).

  2. Now, Click Grant admin consent for {Your Domain Name}

CleanShot 2025-09-24 at 13.58.55@2x-20250924-035930.png

  1. Click Yes to confirm granting Admin Consent.  The resulting screen should look as shown below.

CleanShot 2025-09-24 at 13.59.57@2x-20250924-040017.png

  1. Lastly, you need to know the client secret assocaited with this existing App Registration. The client secret value is used by the CI Sync Admin when they follow the instructions later in this page. If you don’t know the value of the client secret you will need to generate a new secret, capture it and store it securely so it can be shared with the CI Sync Admin so they can use it when they follow the instructions later in this page.

Important

If you regenerate the secret for this existing App Registration (that relates to Defender for Endpoint), your CI Sync Admin will also need to update the Defender for Endpoint Connection settings using the CI Sync Agent Config UI (i.e. will need to update the existing CI Sync Connection for Defender for Endpoint so it contains the new secret value).


You have now updated the App Registration object (i.e. the CI Sync Agent Connector for Defender for Endpoint one) to also have permissions to read MS Defender for Cloud Apps data. This will allow you to use the CI Sync User Interface to schedule synchronization jobs using Defender for Cloud Apps as a synchronization source.

Data Capture Summary

As a reminder, you should have captured the following information when completing the above steps.

  1. The Application (client) ID (from Step 2 above).

  2. The Directory (tenant) ID (also from Step 2 above).

  3. The Secret Value (as described in Step 9 directly above). This is the Client Secret value.

Make sure any secrets or sensitive information is stored securely and in a way that can be shared with the CI Sync Admin.

The above information will be needed by the CI Sync Admin when they follow the instructions in Task 3 further below.


You can now skip to Task 2 further below.


Task 2: Understand the CI Sync RecVer Database

This “task” is solely about understanding the purpose of the CI Sync RecVer database and making decisions on where to host it and how the CI Sync Agent will authenticate to it.

You may also need to make a decision on which database technology to use for the RecVer Database. The CI Sync Agent supports both MS SQL and MongoDB for the RecVer database (however there are some restirctions on which database technology you can use depending on the source system itself).

Understanding the above topics and making the relevant decisions before you create the source system connection (via the CI Sync Agent Config Utility) will make it quicker/easier to execute the remaining tasks in this guide.

Click to read a comprehensive explanation of the CI Sync RecVer database (and many close related topics)

Firstly, Context about the purpose of CI Sync RecVer Database

  • The RecVer database is a small checksum database used by CI Sync to support the delta synchronization functionality (i.e. the functionality of CI Sync to only sync those records which have changed since the previous sync job). 

  • Each source connection you create (using the CI Sync Agent Configuration Utility) requires its own RecVer database.  That is, each RecVer database is specific to each individual source system connection.

Second, options for the RecVer database technology and the hosting server/VM

  • IF the source system technology is based on Microsoft SQL (such as SCCM, Lansweeper, etc) THEN the CI Sync RecVer database must be Microsoft SQL Server.  In this circumstance:

    • The RecVer database must be hosted on the same SQL Server as the source system database itself.

  • IF the source system technology is NOT based on Microsoft SQL (such as Intune, Azure, VMware, etc) THEN the CI Sync RecVer database can be hosted on either Microsoft SQL or MongoDB. In this circumstance:

    • For a SQL based RecVer SQL database, the RecVer DB can be hosted on any SQL server you chose as long as it is “nearby” the VM running the CI Sync Agent (i.e. the Windows Service) itself. Note: “Nearby” means having low latency between the CI Sync Agent VM and the SQL Server hosting the RecVer DB).

    • For a MongoDB based RecVer database, the MongoDB database and CI Sync Agent must both be hosted on the same VM.

Note: In some specific cases CI Sync may not yet support Mongodb for RecVer on a non-SQL source system. Defender for Cloud Apps is one such case (i.e. currently the CI Sync RecVer DB must be hosted on MS SQL. In the new future CI Sync will support Mongodb for RecVer with Defender for Cloud Apps).

Third, SQL authenitcation options

If you are using a MS SQL source system (such as SCCM or Lansweeper) and therefore using MS SQL to host the RecVer database you need to decide how the CI Sync Agent will authenticate to SQL.

The CI Sync Agent (i.e. the Windows Service) requires read/write access to the RecVer database. The CI Sync Agent also requires read access to the relevant SQL based source system (e.g. SCCM, Lansweeper, etc).

When you use the CI Sync Agent Config Utility to create the source system connection (so you can ultimately run sync jobs from that source system) you have the following options for authentication between the CI Sync Agent (i.e. the Windows Service) and the RecVer DB and source system iteself:

  1. Integrated Security: This option uses the Windows User Account you created for the CI Sync Agent Windows Service.

  2. SQL Native Login: This option uses a native SQL username and password you enter into the CI SYnc Config Utility when you are creating the source system connection.

Note: In either case (Integrated Security or SQL Native Login), the account/login only needs least privileged access to the SQL DBs. Permissions are set either by your DBA (through a manual process) or the Config Utility (through the automated process) as explained further below. 

Finally, options for the SQL RecVer DB creation and setting of SQL permissions

If you are using a MS SQL source system (such as SCCM or Lansweeper) and therefore using MS SQL to host the RecVer database you have two options for for creating the SQL based RecVer DB and for setting pemissions to it (the RecVer DB) and to the source system itself.

Your options are as follows:

  1. MS SQL Setup Option 1: In this option you use the CI Sync Config Utility to automatically create the RecVer database and grant the CI Sync Agent (i.e. the Windows Service) access to the source system SQL database.

  2. MS SQL Setup Option 2: In this option you engage a SQL DBA to manually create the RecVer database and grant the CI Sync Agent (i.e. the Windows Service) access to both the RecVer DB and also to the source system SQL database. The DBA will perform these actions if you don’t have permissions to the SQL server (and therefore you aren’t able to use the CI Sync Config Utility as described in Option 1 above).

And also, have a read of Appendix A - Understand how the CI Sync Agent Authenticates to SQL Server which contains useful diagrams about SQL authentication for the CI Sync Agent.

Task 3 (SQL): Create a Source System Connection using the CI Sync Agent Config Utility with a SQL RecVer DB

As explained in the Guidance Notes above there are two options to facilitate the creation of the RecVer database and assigning permissions to it for the CI Sync (Agent). The table below elaborates the two options.

Option

Description

Details

MS SQL Setup Option 1

Automatically using the CI Sync Agent Config Utility

  • This option requires you to have the sysadmin (sa) role in the SQL Server that will host the RecVer database.

  • If you have sa credentials to the SQL Server that will host the RecVer database you can use the CI Sync Agent Config Utility to create the CI Sync RecVer database.

  • For this option use the Option 1 instructions below.

MS SQL Setup Option 2

Manually via a SQL Database Administrator (DBA)

  • If the person executing the CI Sync Agent Config utility does not have the sysadmin (sa) role in the SQL Server, you can have your SQL DBA perform a manual setup of the RecVer database.

  • For this option you should contact your DBA now and ask them to perform the manual setup tasks described in the Option 2 instructions below.

  • Once the DBA has completed their allocated tasks you will continue with the Option 2 instructions and use the CI Sync Agent Config Utility to connect to the RecVer database the DBA has created for you.

Expand the instructions below for either Option 1 or Option 2.

Option 1: Use the Config Utility to automatically create the RecVer database

Expand the instructions below if your SQL DBA will manually setup the RecVer database (and set the required permissions to the RecVer SQL DB).

Click to expand the instructions to setup the source connection with a SQL RecVer using Option 1

  1. Run the “CISynchronizerAgent Config Utility” from the Windows Start Menu.

  2. Within the CI Sync Agent Configuration Utility, navigate to the Source Systems tab, select MS Defender for Cloud Apps and click the Add button.

image-20250925-052434.png

  1. The “Add Connection” form is shown (specific to the source system).

image-20250925-052542.png

  1. In the section titled “Settings for the CI Sync Windows Service” update the values as follows:

    1. Name: Enter a friendly name that describes this source system connection.

    2. Directory (tenant) ID: Enter the value you captured in the very first task at the top of this guide.

    3. Application (client) ID: Enter the value you captured in the very first task at the top of this guide.

    4. Authentication Method: ClientSecret.

    5. Client Secret: Enter the value you captured in the very first task at the top of this guide.

For Certificate Authentication instructions skip to the Task 3 Supplement and then return here and continue setting up the source system in the CI Sync Agent.

  1. Move to section titled “RecVer DB Settings

CleanShot 2025-09-25 at 15.37.39@2x-20250925-053806.png

  1. Update the “RecVer DB Settings” values as follows:

    1. RecVer Type: Set this to SQL Server.

  2. In the sub-section titled “SQL Server RecVer Settings” update the values as follows:

    1. SQL Server: Enter the SQL Server path in the format: server\instance.

    2. Integrated Security:

      1. Check this checkbox if you want the CI Sync Agent to authenticate to the SQL Server using the Windows User Account you setup for the CI Sync Agent Windows Service (i.e. the account you setup in Task 1: Create Windows Service Account for the CI Sync Agent to use during S4 - Install the On-Prem Multi-Source Agent.

      2. Otherwise, uncheck this checkbox and enter the User ID and Password for a Native SQL Login provided to you by the DBA. (Note: Syncfish do not recommend the SQL Login have sysadmin rights).
        Note: These authentication settings control how the CI Sync Agent Windows Service authenticates with your SQL Server during ongoing operation of the agent (I.e. when sync jobs are running).

    3. Bypass setup, I have manually setup the databases: Do NOT check this checkbox (because the Config Utility will be creating the RecVer database for you).

    4. Existing RecVer Database: Do NOT check this checkbox (as the Config Utility will create the RecVer database for you).
      Note: These RecVer tick boxes (Bypass setup and Existing RecVer) control whether the CI Sync Config UI initiates the setup of the RecVer database (or not if your DBA is doing the SQL setup manually).

    5. RecVer Database: Greyed out so can be ignored.

    6. DB Timeout (Secs):  Sets the connection and statement execution timeouts. Syncfish recommend 60.

  3. Locate the “Setup & Test” button

image-20250402-053546.png

  1. Do the following:

    1. Click the “Setup & Test” button.

    2. When the button “Setup & Test” is pressed, the CI Configuration utility will prompt if the user running the utility wants to use Integrated Security or SQL Server security to perform the automated SQL setup and configuration steps.

image-20250402-053601.png

Informational Note

  • The above values do not control the ongoing running of the CI Sync Agent, they are solely used by the CI Sync Config UI to perform the RecVer setup.

  • The user will be required to have admin role in SQL Server to be able to setup the RecVer

Guidance Notes

In the background the Config Utility performs the following SQL setup and configuration steps:

  1. The utility creates a SQL Login for the Windows User Account you setup for the CI Sync Agent Windows Service if you selected “Integrated Security” in the section “Settings for the CI Sync Windows Service”, the Config Utility. Or, if instead you are using Native SQL Login (instead of “Integrated Security”) then Config Utility uses the Native SQL Login details you have supplied and performs the following step to grant the Login access to the relevant databases with the permissions noted below.

  2. The utility creates the RecVer database, creates a SQL user in the RecVer database for the Login used by the CI Sync Agent and grants the SQL user the agent_role role.
    Note: Depending on whether you selected “Integrated Security” or not, the SQL user is either (a) the Windows User/Service Account (created as a SQL Login in point 1 above) or (b) the native SQL login account.

Note: If you are using a Native SQL Login (not Integrated Security) with higher privileges than noted above (e.g. if the account had SQL sysadmin) then the Config Utility will not be able to set the SQL roles noted above.  Instead, the Config Utility will not touch the permissions and instead will leave the existing/higher privileges as is.  This is not required and not recommended by Syncfish.

  1. If all is setup correctly you will see “Ok” against each of the setup tasks.  If you see errors recheck the values you entered on the form.

image-20250402-053914.png

  1. After a successful test has been completed, click the Save button.

  2. Finally, click Yes to register this new connection (via your CI Sync Agent) with your customer specific CI Sync SaaS instance.

image-20250925-052922.png

  1. Assuming no errors you will see a confirmation message. Click OK and the new connection will appear in the Connections List of the CI Sync Agent.

  2. You have now completed the setup of the source connection in the CI Sync Configuration Utility and registered it as a source connection in the CI Sync SaaS application


Option 2: Use your SQL Database Administrator (DBA) to manually create the RecVer database in advance

Expand the instructions below if your SQL DBA will manually setup the RecVer database (and set the required permissions to the RecVer SQL DB).

Click to expand the instructions to setup the source connection with a SQL RecVer using Option 2

  1. Ask you SQL DBA to perform the tasks listed in the table below.

Task

DBA Task (in SQL Server)

Additional Notes

Task 1

Either register a Login (which represents the Windows User Account used by the CI Sync Agent Windows Service)

Or create a SQL Login (for the CI Sync Agent to use).

If you are using Windows “Integrated Security” between the CI Sync Agent and the SQL Server, then the CI Sync Agent Windows Service account needs to be registered within SQL Server as a Login

Note: The CI Sync Agent Windows Service account you setup in Task 1: Create Windows Service Account for the CI Sync Agent to use during S4 - Install the On-Prem Multi-Source Agent.

Alternatively, if you are using Native SQL authentication between the CI Sync Agent and the SQL Server, then a Login will need to be created. In this case your DBA will need to provide you with the SQL User ID and password details so you can enter them into the Config Utility UI as explained further below.

Task 2

Edit then Execute the SQL Create Script provided by Syncfish located here. The script creates the Syncfish RecVer database.

The script is: cisee-recver-create-script.sql

Notes for the DBA when running the script:

  • The script has a placeholder called $(recver_database_name) as the replacement for the RecVer database name.

  • For Microsoft Defender for Cloud Apps as the source system Syncfish recommend “cisee_recver_defender_cloudapps” as the RecVer database name.

To run the setup script using the sqlcmd utility, the recver_database_name parameter needs to be passed in using the -v switch:
> sqlcmd -I -S localhost -v recver_database_name=" cisee_recver_defender_cloudapps" -i "cisee-recver-create-script.sql"

Or, if running the script in SSMS, the value $(recver_database_name) (including the $ and brackets) needs to be replaced in the .sql file with the name for the recver database.

The DBA may notice the script includes has a placeholder called $(source_database_name) which is only required when Lansweeper is the source system. This placeholder can be ignored for all other (non-Lansweeper) source systems.

Task 3

Edit then Execute the SQL Upgrade Script provided by Syncfish located here. The script creates the Syncfish RecVer database.

The script is: cisee-recver-upgrade-script-3.1.1.sql

Notes for the DBA when running the script:

  • The script has a placeholder called $(recver_database_name) as the replacement for the RecVer database name.

  • For Microsoft Defender for Cloud Apps Syncfish recommend “cisee_recver_defender_cloudapps” as the RecVer database name.

To run the setup script using the sqlcmd utility, the database_name parameter needs to be passed in using the -v switch:

> sqlcmd -I -S localhost -v recver_database_name=" cisee_recver_defender_cloudapps" -i "cisee-recver-upgrade-script-3.1.1.sql"

Or, if running the script in SSMS, the value $(recver_database_name) (including the $ and brackets) needs to be replaced with the name for the recver database.

Task 4

Map the Login as a user in the RecVer database and grant the user the role_agent role.

Map the user and grant the role to the RecVer database created by the SQL script above.

Once your DBA has completed the steps in the table above, use the CI Sync Agent Configuration Utility to setup the source connection and pointing to the RecVer database created by the DBA. See below for instructions on using the CI Sync Agent Configuration Utility.

  1. Run the “CISynchronizerAgent Config Utility” from the Windows Start Menu.

  2. Within the CI Sync Agent Configuration Utility, navigate to the Source Systems tab, select MS Defender for Cloud Apps and click the Add button.

image-20250925-052434.png

  1. The “Add Connection” form is shown (specific to the source system).

image-20250925-052542.png

  1. In the section titled “Settings for the CI Sync Windows Service” update the values as follows:

    1. Name: Enter a friendly name that describes this source system connection.

    2. Directory (tenant) ID: Enter the value you captured in the very first task at the top of this guide.

    3. Application (client) ID: Enter the value you captured in the very first task at the top of this guide.

    4. Authentication Method: ClientSecret.

    5. Client Secret: Enter the value you captured in the very first task at the top of this guide.

For Certificate Authentication instructions skip to the Task 3 Supplement and then return here and continue setting up the source system in the CI Sync Agent.

  1. Move to section titled “RecVer DB Settings

CleanShot 2025-09-25 at 15.44.40@2x-20250925-054508.png

  1. Update the “RecVer DB Settings” values as follows:

    1. RecVer Type: Set this to SQL Server.

  2. In the sub-section titled “SQL Server RecVer Settings” update the values as follows:

    1. SQL Server: Enter the SQL Server path in the format: server\instance.

    2. Integrated Security:

      1. Check this checkbox if you want the CI Sync Agent to authenticate to the SQL Server using the Windows User Account you setup for the CI Sync Agent Windows Service (i.e. the account you setup in Task 1: Create Windows Service Account for the CI Sync Agent to use during S4 - Install the On-Prem Multi-Source Agent.

      2. Otherwise, uncheck this checkbox and enter the User ID and Password for a Native SQL Login provided to you by the DBA. (Note: Syncfish do not recommend the SQL Login have sysadmin rights).
        Note: These authentication settings control how the CI Sync Agent Windows Service authenticates with your SQL Server during ongoing operation of the agent (I.e. when sync jobs are running).

    3. Bypass setup, I have manually setup the databases: Check this checkbox (because your SQL DBA has already manually created the RecVer database and set the relevant permissions for you).

    4. Existing RecVer Database: Check this checkbox (because your SQL DBA has already manually created the RecVer database for you
      Note: These RecVer tick boxes (Bypass setup and Existing RecVer) control whether the CI Sync Config UI initiates the setup of the RecVer database (or not if your DBA is doing the SQL setup manually).

    5. RecVer Database: Enter the name of the RecVer database your DBA created. If your DBA used the suggested name (described on the previous page) it will be called cisee_recver_defender_cloudapps.

    6. DB Timeout (Secs):  Sets the connection and statement execution timeouts. Syncfish recommend 60.

  3. Locate the “Setup & Test” button

image-20250402-053546.png

  1. Do the following:

    1. Click the “Setup & Test” button.

    2. If all is setup correctly you will see “Ok” against each of the setup tasks.  If you see errors recheck the values you entered on the form.

image-20250402-053914.png

  1. After a successful test has been completed, click the Save button.

  2. Finally, click Yes to register this new connection (via your CI Sync Agent) with your customer specific CI Sync SaaS instance.

image-20250925-052922.png

  1. Assuming no errors you will see a confirmation message. Click OK and the new connection will appear in the Connections List of the CI Sync Agent.

  2. You have now completed the setup of the source connection in the CI Sync Configuration Utility and registered it as a source connection in the CI Sync SaaS application

Task 3 (Mongo): Or, Create a Source System Connection using the CI Sync Agent Config Utility with a MongoDB RecVer DB (if supported)

This task is not applicable because CI Sync does not support a Mongodb RecVer DB for the source system covered by this guide.

Task 3 (Optional): Supplementary Instructions for Certificate Based Authentication

Click to expand the instructions on setting up Certificate Based Authentication in the CI Sync Agent

Some source systems support Certificate authentication for the authentication principal created in the first step of this guide. In this case, you can configure the CI Sync Agent to use Certificate based authentication rather than Client Secret.

The screen shot/s and instructions below explain how to configure the CI Sync Agent for Certificate Authentication for a given source system. Once you have completed these steps jump back to the relevant task above to finish the steps for setting up your source system connection in the CI Sync Agent Config Utility.

The instructions below replace the Client Secret screen shots and instructions provided in the tasks above. You do NOT need to following the instructions below if you have decided to use Client Secret authentication between the CI Sync Agent and the source system.

Part A - Import your certificate to the Windows Certificate Store on the VM running the CI Sync Agent.

Guidance Notes

  • These instructions assume the organization has a certificate management solution in place and the certificate related to this activity is available to the Windows Server being used to install/run the CI Sync Agent (i.e. the Windows Service).

  • The Digital Certificate itself is the provided to you by the person who created the certificate based authentication principle during the first step of this guide.

  • When importing the certificate, it is recommended you import to the Local Machine Certificate Store. If you import it to the Current User you will almost certainly strike errors when the CI Sync Agent user account (i.e. the user account used by the Windows Service) tries to access the certificate.

  • Only consider importing to the Current User Certificate if you are running the CI Sync Config Utility with “Run As” in the context of the CI Sync Agent user account (i.e. the user account used by the Windows Service).

  1. Import the Digital Certificate into the Windows Local Machine Certificate Store.  It is recommended you do not import into the Current User Certificate Store (see Guidance Notes above).

  2. Ensure the CI Sync Agent user account (i.e. the user account used by the Windows Service) has sufficient permissions to read the Digital Certificate you imported.  The following steps explain how to check/set the right permissions.

  3. Open Microsoft Management Console.

  4. Navigate to Certificates - Local ComputerPersonal Certificates

  5. Right-click on the relevant certificate (the one you imported) and select All TasksManage Private Keys

CleanShot 2025-04-03 at 15.48.58@2x-20250403-044903.png

  1. On the permissions window, click the Add button.

CleanShot 2025-04-03 at 15.49.18@2x-20250403-044923.png

  1. Search for Users, locate the CI Sync Agent User (e.g. svc-cisync-agent), press Check Names, then press the OK button.

CleanShot 2025-04-03 at 15.49.36@2x-20250403-044939.png

  1. Back on the permissions window, make sure Full control and Read are ticked.  Then click Apply and then Ok.

CleanShot 2025-04-03 at 15.49.50@2x-20250403-044953.png

Part B - Use the CI Sync Agent Config Utility to Reference the Imported Certificate

  1. Using the CI Sync Agent Configuration Utility, use the drop down list to set the Authentication Method to Certificate in the Connection Settings section of the Add Connection form.

CleanShot 2025-04-04 at 17.34.23@2x-20250404-063437.png

  1. Set the Certificate Location using the following instructions:

    1. The options are as follows (these are the standard values provided by Microsoft):

      1. LocalMachine

      2. CurrentUser

    2. Syncfish Recommendation:

      1. It is strongly recommended you use LocalMachine, as the current user account (the person installing/running the CI Sync Agent Config Utility) is not the same as the CI Sync Agent user account (i.e. the user account used by the Windows Service). 

      2. If you have saved the certificate in the CurrentUser context, rather than the LocalMachine context (of the Windows Certificate Store) it will cause an error when the CI Sync Agent user account (i.e. the user account used by the Windows Service) tries (and fails) to read the certificate from the Windows Certificate Store.

  2. Set the Certificate Store using the following instructions:

    1. The options are as follows (these are a standard values provided by the Microsoft and correspond to the folders in the Windows certificate store):

      1. AddressBook

      2. AuthRoot

      3. CertificateAuthority

      4. My

      5. Root

      6. TrustedPeople

      7. TrustedPublisher

    2. Syncfish Recommendation: It is recommended this value be set to the “My” store (this translates to the “Personal/Certificates” path in the Windows Certificate Store).

  3. Enter the Certificate Name / Thumbprint value: Enter the subject of the certificate related to the authentication principal created in the first step of this guide.

  4. Finally, jump back to the relevant task above to finish the steps for setting up your source system connection in the CI Sync Agent Config Utility.

Setting up certificate based authentication can be somewhat fiddly to get right. Syncfish have published a number of troubleshooting articles in our knowledge base. Search for “certificate” in our support portal at https://support.syncfish.com.au .

Task 4: Finalise Settings in the CI Sync SaaS UI

  1. Login to your CI Sync SaaS instance at https://YourCo.syncfish.app

  2. In the CI Sync UI, navigate to Settings > Connections.

CleanShot 2025-04-07 at 11.27.20@2x-20250407-012911.png

  1. Find the new source system connection you just added in the list of Source Connections (the screen shot above is a sample only).

  2. Find your specific Source System Connection in the list and click the Update hyperlink (on the right hand side of the screen).

  3. The connection Settings Form is presented. Update as follows:

    1. Enter an Alias (optional) - the alias is only used in the CI Sync SaaS UI to show a friendly name in various UI forms.

    2. Set the Environment/s the new source connection can be used for. 

      1. In most cases a Source System Connection is used for both Test and Production sync jobs (as distinct from the Destination Connections which can only be either Test or Production).

      2. The Environment value is used to filter the connections dropdown list when you are creating a sync job.

image-20250925-052329.png

  1. While you are on this page you can/should check whether there are any connection specific settings you may want to adjust either now or at some point in the future. Connection specific settings (or just Connection Settings) allow you to override the default data sync rules for your CI Sync instance.

  2. Read the following details to understand more about CI Sync Connection Settings:

    1. Scroll further down to the Additional Settings section on the page to see any available Connection Settings. Below is an example of the sorts of settings you might notice.

    2. The settings are specific to each source connection so the screen shot is an example only.

      CleanShot 2025-07-18 at 17.33.13@2x-20250718-073337.png


    3. Syncfish recommend you read the following documentation before overriding any of the default settings:

      1. Read the CI SyncDefault Configuration Guides. The pages in that tree provide comprehensive information about the default behaviour of the CI Sync data sync rules, the options available for overriding those rules and typical reasons why you might want to do this.

      2. Read Understanding the use of CI Sync Connection Settings. This page explains how the Connection Settings should be used, how to modify settings via the CI Sync UI and how to test any setting changes in non-production prior to production.

    4. Finally, if you are ready to modify any of the Connection Settings, visit Connection Setting Guides and locate the specific Source System page/s in that tree. The individual pages in that tree provide detailed information about each setting.

      CleanShot 2025-07-22 at 15.47.19@2x-20250722-054753.png

  3. After making any changes on this page, scroll to the bottom of the page, Check the consent checkbox and Click the Save connection button.

You have now completed all tasks to add your new Source Connection in the CI Sync Agent. 

Please do one of the following:

Task 5: Perform Updates in ServiceNow (if required)

Guidance Note

Syncfish recommend the person setting up the source system described in this guide discusses this particular task with their ServiceNow system administrator.  The ServiceNow administrator will need to perform these steps.

Context

By default, the CI Relations control is not added to the Business Application CI Form within ServiceNow.

If you are planning on synchronizing the “User uses Cloud App” relationships feature of the CI Sync connector for MS Defender for Cloud Apps then Syncfish recommend adding the CI Relationships control to the Business Application CI form in your ServiceNow instance.

For more information on the “User uses Cloud App” relationships feature, please read the Data Sync Rule Rule 2 - Defender for Cloud Apps CI-to-CI Relationships and the related Connection Setting article Allow User Synchronization for Defender for Cloud Apps.

Below are the steps to modify a ServiceNow Business Application CI form to expose the CI Relations control.

  1. Login to your ServiceNow instance with Admin permissions.

  2. Navigate to any Business Application CI.

  3. Right-click in the heading area of the form, then click Configure and then Form Layout from the sub-menus.

CleanShot 2025-09-25 at 16.06.18@2x-20250925-060730.png

  1. Locate the CI Relations control in the Available column (left-hand side), clid the Add (“>”) button to make it a Selected component, then click Save.

CleanShot 2025-09-25 at 16.08.12@2x-20250925-061000.png