Resource

SaaS Attack Matrix: Understand how modern attackers operate | Learn more →

Ready to help

Add employees

Overview

Integrate with your identity provider to import basic employee details into the Push platform and assign a license to users so you can begin your rollout of Push and start getting visibility into your cloud identities and apps.

Push supports integrations with:

You can also manually add individual employees. Or, if you’ve already installed the Push browser extension on employee browsers via a managed deployment, you can enable automatic licensing that allows Push to identify new browser profiles and assign an available license to those users in the Push platform.

In order to gain a full inventory of your cloud identities and apps, you must perform both an API integration and the installation of the Push browser extension on employee browsers in your environment. They each play a role in providing full visibility:

  1. The API integration provides visibility into SaaS applications that your employees access via social login, such as Sign In with Google and Sign In with Microsoft, as well as third-party OAuth integrations they consent to. The integration also finds any security risks associated with these platforms, such as a lack of MFA and suspicious mail rules in employee inboxes.

  2. The Push browser extension provides visibility into accounts that your employees create and access with a username and password, including unmanaged and non-SSO accounts, as well as vulnerabilities associated with these accounts. It also identifies social logins.

The Push platform distinguishes between employee and administrator accounts:

  • Employees are created when you integrate with your work platform. You must then assign a license to employees whose activity you wish to capture.

  • Administrators manage the Push platform and must be invited via email, and can even be individuals outside your organization, such as an external managed service provider.

Syncing employee records

After completing the integration, Push syncs with your work platform immediately and then once an hour after that to accommodate the addition or removal of employee accounts and to keep specific activity data up to date for licensed employees.

When you add an employee account on your synced work platform, you’ll see a message in Push that you have unlicensed employees. You can then choose whether to assign them a license. Push does not automatically assign licenses to new employees unless you have enabled the automatic licensing option.

To quickly identify newly added employees in your workspace, check the First seen column in the Push list of unlicensed employees.

Last seen - license employees - Add Employees docs

If you remove an employee account on your work platform after the employee has been licensed in Push and enrolled in the browser extension, their record will remain visible in the Push platform as long as they have associated SaaS accounts. You will need to manually remove the license for that employee.

If the employee was enrolled and licensed in Push via the automatic licensing option, their record will also remain in Push as long as they have associated accounts, even if they have been removed from your work platform directory.

If an employee’s extension is inactive for 90 days and they have no associated accounts, Push will unlicense them automatically and no longer show their activity data.

What permissions are required?

We request the minimum scopes possible for our API integration and let you customize them if you prefer. When configuring your integration, you can remove any scopes you don’t want to allow, as well as view sample data for each scope requested.

To view scopes and make changes, select Need more control over access permissions? from the Integrate a platform slide-out panel on the Apps page in the Push admin console.

On that screen, you can disable individual scopes to see which Push features will be disabled, so that you can visualize the impact of customizing the access permissions.

Here’s a description of each scope:

Microsoft 365 scopes

Scope

Purpose

ActivityFeed.Read

This scope lets us read your company’s activity data. We use this only to inspect whether logins are performed with or without MFA enforced.

AppRoleAssignment.ReadWrite.All

This scope is used to remove user relationships with third-party integrations when you delete them via the Push platform.

Application.ReadWrite.All

This scope allows us to remove third-party integrations via the Push platform when you initiate a deletion.

AuditLog.Read.All

This scope lets us query sign-in logs for service principals (third-party integrations).

DelegatedPermissionGrant.ReadWrite.All

This scope is used to remove individual permission grant consents.

Directory.Read.All

This scope lets us read data in your company directory, such as users, groups and apps.

MailboxSettings.ReadWrite

This scope lets us read and write to a user’s mailbox settings. We use write permissions to disable suspicious mail rules only at your command. This scope doesn't give us access to mail content.

Policy.Read.All

This scope lets us read your company policies. We use this only to inspect if Security Defaults or Conditional Access is in use.

Reports.Read.All

This scope lets us read all service reports. We query only the MFA registration report.

User.Read

This scope lets us read your profile and read basic company information.

User.Read.All

This scope lets us read details about the users in your company directory and retrieve their profile picture.

Google Workspace scopes

Scope

Purpose

admin.directory.group.readonly

This scope is used to retrieve group alias and member information about Google Groups. This is needed so we can organize results by group membership.

admin.directory.user.readonly

This scope is used to retrieve user profiles. This is needed to connect user identities to email addresses, mark accounts that are administrators, and identify 2SV status.

admin.directory.user.security

This scope is used to list OAuth tokens and remove them when you delete them via the Push platform.

admin.reports.audit.readonly

This scope is used to read Google Workspace token audit reports. This is needed to read logs of historic OAuth app integrations.

gmail.settings.basic

This scope is used to read mail rules from a user’s mailbox settings. It does not allow reading email messages. It is needed to find suspicious mail rules.

You can integrate Push with Microsoft 365 or Google Workspace via an API integration that uses OAuth. If your employees use both, you should integrate Push with both platforms in order to capture all the SaaS apps in your environment being accessed using social logins.

Prerequisites: To complete the API integration, you’ll need an administrator role in M365 or Google Workspace with permission to complete OAuth integrations. For Microsoft, this is the global administrator role. For Google, it is the Super Admin role.

To integrate with Microsoft 365 or Google Workspace:

1. Log into the Push admin console.

2. Navigate to the Apps page in the left sidebar.

3. Click the Integrate platforms button on the setup modal, or select the plus sign in the top right corner and choose Integrate platform.

Integrate platforms action - SaaS page plus sign button - docs - Add employees

4. On the slide-out panel, select Microsoft 365 or Google Workspace.

5. To view or adjust permissions associated with the integration, click on Need more control over access permissions?

Integrate a platform - docs - Add employees

6. If you’re not the administrator of the work platform, you can share the provided integration link with your admin to complete the setup. Otherwise, click Connect to proceed.

7. Consent to the OAuth integration screen. For Google Workspace, you'll also need to give permission to Push through domain-wide delegation.

8. Wait a moment for Push to pull in the employee data.

Integrate platform - awaiting data - docs - Add employees

9. Select which employees you want to license in Push.

Assign licenses - docs - Add employees

10. After you’ve assigned licenses, you’ll find a list of your employees on the Employees page, where you will start to see which SaaS apps they’re logging into using social logins connected to their work accounts, as well as any third-party integrations used by licensed employees, discovered mail forwarding rules, or a lack of MFA protection.

Next steps

To complete your setup and gain full account visibility, next you’ll need to install the Push browser extension on employee browsers in your environment.

See: Install the browser extension for more details.

Add manually

You can add employees manually. We recommend this approach if you are testing Push with your team before completing a rollout to your entire organization.

To add employees manually:

1. Log into the Push admin console.

2. Navigate to the Employees page in the left sidebar and click the Add employees icon.

3. Select Add manually and enter the employee’s name and email address. You can also optionally email them an enrollment link to install the browser extension at the same time.

Manually add user - docs - Add employees

Automatic licensing option

You can automatically assign a license to any employee with an email address in your specified company email domain(s) if the Push browser extension has been installed through a managed deployment.

In the Push admin console, go to Settings > Licensing and toggle on automatic licensing.

Automatic licensing toggle on Settings - KB 10098

The Push browser extension is able to identify the user of a browser by looking for an email address from an open Gmail or Microsoft Outlook browser tab.

Once the browser extension identifies the user, Push will automatically create the employee account in the Push platform and assign a license. The user will then appear in the list on the Employees page.

Note: Push will not assign a license if none is available in your plan. Unlicensed employees will appear in the Unlicensed list linked from the Employees page.

Hiding unlicensed employees

You can hide synced employee accounts that you don’t intend to assign a license in Push, such as service accounts.

Go to Employees and select the list of unlicensed employees. Choose the accounts you want to hide from the list of unlicensed employees and then choose Hide employees.

Hide unlicensed employees - docs - Add employees page

If you decide later that you want to license those hidden accounts, select the filter icon on the list and change the selection to Show only hidden employees. You can then assign them a license.

Revoking the API integration

You can delete a work platform integration by going to Settings > Integrations in the admin console. Removing an integration will also remove from Push all the employee records tied to that integration, as well as their account activity data.

Settings > integrations - docs - Add employees