Add employees
In this section:
Overview
Integrate with your identity provider to import basic employee details into the Push platform and assign a license to users so you can begin your rollout of Push and start getting visibility into your cloud identities and apps.
Push supports integrations with:
You can also manually add individual employees.
In order to gain a full inventory of your cloud identities and apps, you must perform both an API integration and the installation of the Push browser extension on employee browsers in your environment. They each play a role in providing full visibility:
The API integration provides visibility into SaaS applications that your employees access via social login, such as Sign In with Google and Sign In with Microsoft, as well as third-party OAuth integrations they consent to. The integration also finds any security risks associated with these platforms, such as a lack of MFA and suspicious mail rules in employee inboxes.
The Push browser extension provides visibility into accounts that your employees create and access with a username and password, including unmanaged and non-SSO accounts, as well as vulnerabilities associated with these accounts.
The Push platform distinguishes between employee and administrator accounts:
Employees are created when you integrate with your work platform. You must then assign a license to employees whose activity you wish to capture.
Administrators manage the Push platform and must be invited via email, and can even be individuals outside your organization, such as an external managed service provider.
Syncing employee records
After completing the integration, Push syncs with your work platform immediately and then once an hour after that to accommodate the addition or removal of employee accounts and to keep specific activity data up to date for licensed employees.
When you add an employee account on your work platform, you’ll see a message in Push that you have unlicensed employees. You can then choose whether to assign them a license. Push does not automatically assign licenses to new employees synced from your work platform.
To quickly identify newly added employees in your workspace, check the First seen column in the Push list of unlicensed employees.
If you remove an employee account on your work platform after the employee has been licensed in Push and enrolled in the browser extension, their record will remain visible in the Push platform as long as they have associated SaaS accounts. You will need to manually remove the license for that employee.
What permissions are required?
We request the minimum scopes possible for our API integration and let you customize them if you prefer. When configuring your integration, you can remove any scopes you don’t want to allow, as well as view sample data for each scope requested.
To view scopes and make changes, select Need more control over access permissions? from the Integrate a platform slide-out panel on the SaaS page in the Push admin console.
On that screen, you can disable individual scopes to see which Push features will be disabled, so that you can visualize the impact of customizing the access permissions.
Here’s a description of each scope:
Microsoft 365 scopes
Scope | Purpose |
|---|---|
ActivityFeed.Read | This scope lets us read your company’s activity data. We use this only to inspect whether logins are performed with or without MFA enforced. |
AppRoleAssignment.ReadWrite.All | This scope is used to remove user relationships with third-party integrations when you delete them via the Push platform. |
Application.ReadWrite.All | This scope allows us to remove third-party integrations via the Push platform when you initiate a deletion. |
AuditLog.Read.All | This scope lets us query sign-in logs for service principals (third-party integrations). |
DelegatedPermissionGrant.ReadWrite.All | This scope is used to remove individual permission grant consents. |
Directory.Read.All | This scope lets us read data in your company directory, such as users, groups and apps. |
MailboxSettings.ReadWrite | This scope lets us read and write to a user’s mailbox settings. We use write permissions to disable suspicious mail rules only at your command. This scope doesn't give us access to mail content. |
Policy.Read.All | This scope lets us read your company policies. We use this only to inspect if Security Defaults or Conditional Access is in use. |
Reports.Read.All | This scope lets us read all service reports. We query only the MFA registration report. |
User.Read | This scope lets us read your profile and read basic company information. |
User.Read.All | This scope lets us read details about the users in your company directory and retrieve their profile picture. |
Google Workspace scopes
Scope | Purpose |
|---|---|
admin.directory.group.readonly | This scope is used to retrieve group alias and member information about Google Groups. This is needed so we can organize results by group membership. |
admin.directory.user.readonly | This scope is used to retrieve user profiles. This is needed to connect user identities to email addresses, mark accounts that are administrators, and identify 2SV status. |
admin.directory.user.security | This scope is used to list OAuth tokens and remove them when you delete them via the Push platform. |
admin.reports.audit.readonly | This scope is used to read Google Workspace token audit reports. This is needed to read logs of historic OAuth app integrations. |
gmail.settings.basic | This scope is used to read mail rules from a user’s mailbox settings. It does not allow reading email messages. It is needed to find suspicious mail rules. |
Slack scopes
Scope | Purpose |
|---|---|
chat:write | Post messages in approved channels and conversations. |
im:write | Start direct messages with people |
users:read | View people in a workspace. |
users:read.email | View email addresses of people in a workspace. |
im:history | View messages and other content in direct messages that your slack app has been added to. |
channels:read | View basic information about public channels in a workspace. |
groups:read | View basic information about private channels that your slack app has been added to. |
channels:join | Join public channels in a workspace. |
mpim:read | View basic information about group direct messages that your Slack app has been added to. |
im:read | View basic information about direct messages that your Slack app has been added to. |
app_mentions:read | View messages that directly mention @your_slack_app in conversations that the app is in. |
Microsoft Teams scopes
Scope | Purpose |
|---|---|
Channel.ReadBasic.All | Read channel names and channel descriptions, on behalf of the signed-in user. |
MailboxSettings.Read | Allows the app to read the user’s mailbox settings. Does not include permission to send mail. |
Team.ReadBasic.All | Read the names and descriptions of teams, on behalf of the signed-in user. |
TeamsAppInstallation.ReadWriteSelfForTeam.All | Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user. |
TeamsAppInstallation.ReadWriteSelfForUser.All | Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user. |
User.Read.All | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
User.Read | Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
Add via integration
You can integrate Push with Microsoft 365 or Google Workspace via an API integration that uses OAuth. If your employees use both, you should integrate Push with both platforms in order to capture all the SaaS apps in your environment being accessed using social logins.
Prerequisites: To complete the API integration, you’ll need an administrator role in M365 or Google Workspace with permission to complete OAuth integrations. For Microsoft, this is the global administrator role. For Google, it is the Super Admin role.
To integrate with Microsoft 365 or Google Workspace:
1. Log into the Push admin console.
2. Navigate to the SaaS page in the left sidebar.
3. Click the Integrate platforms button on the setup modal, or select the plus sign in the top right corner and choose Integrate platform.
4. On the slide-out panel, select Microsoft 365 or Google Workspace.
5. To view or adjust permissions associated with the integration, click on Need more control over access permissions?
6. If you’re not the administrator of the work platform, you can share the provided integration link with your admin to complete the setup. Otherwise, click Connect to proceed.
7. Consent to the OAuth integration screen. For Google Workspace, you'll also need to give permission to Push through domain-wide delegation.
8. Wait a moment for Push to pull in the employee data.
9. Select which employees you want to license in Push.
10. After you’ve assigned licenses, you’ll find a list of your employees on the Employees page, where you will start to see which SaaS apps they’re logging into using social logins connected to their work accounts, as well as any third-party integrations used by licensed employees, discovered mail forwarding rules, or a lack of MFA protection.
Next steps
To complete your setup and gain full account visibility, next you’ll need to install the Push browser extension on employee browsers in your environment.
See: Install the browser extension for more details.
Add manually
You can add employees manually. We recommend this approach if you are testing Push with your team before completing a rollout to your entire organization.
To add employees manually:
1. Log into the Push admin console.
2. Navigate to the Employees page in the left sidebar and click the Add employees icon.
3. Select Add manually and enter the employee’s name and email address. You can also optionally email them an enrollment link to install the browser extension at the same time.
Hiding unlicensed employees
You can hide synced employee accounts that you don’t intend to assign a license in Push, such as service accounts.
Go to Employees and select the list of unlicensed employees. Choose the accounts you want to hide from the list of unlicensed employees and then choose Hide employees.
If you decide later that you want to license those hidden accounts, select the filter icon on the list and change the selection to Show only hidden employees. You can then assign them a license.
Revoking the API integration
You can delete a work platform integration by going to Settings > Integrations in the admin console. Removing an integration will also remove from Push all the employee records tied to that integration, as well as their account activity data.
