Changes Made by Cloud App Security

Cloud App Security adds some data to Microsoft Office 365, Box, Dropbox, Google Drive, and Gmail when provisioning service accounts or running those cloud applications. If your license expires, Cloud App Security automatically deprovisions service accounts for you and cleans up most of the data. You must manually remove the remaining data.

The following table lists all the actions that Cloud App Security performs in the Office 365 environment and other changes made by Cloud App Security.

Stage

Cloud App Security Changes to Office 365

Other Changes

Microsoft Office 365 Admin Center

Exchange/SharePoint/OneDrive/Microsoft Teams

Provisioning

Creates Cloud App Security service accounts for Office 365 users.

  • Exchange: None.

  • SharePoint/OneDrive:

    • Adds a remote event receiver to each site collection.

    • Adds service accounts to each site collection's administrator group.

  • Microsoft Teams:

    • Uses OAuth 2.0 to obtain Microsoft Teams' access token.

    • Adds a remote event receiver to each team site.

  • The SharePoint/OneDrive user list and user profiles are updated upon service account creation.

  • Exchange user information is updated upon service account creation.

  • The teams data is updated to the Cloud App Security database.

Service running

Synchronizes with Office 365 daily to obtain information about new users, groups, SharePoint sites, and teams.

Note:

Cloud App Security synchronizes with Office 365 at 08:15 a.m. UTC for the U.S. site, 00:15 a.m. UTC for the EU site, and 04:15 p.m. UTC for both the Japan and the Australia and New Zealand sites.

  • Exchange:

    • Creates hidden folders for mailboxes if there are quarantined files.

    • Moves files between the quarantine and user folders.

  • SharePoint/OneDrive:

    • Adds service accounts or the remote event receiver for new site collections.

    • Creates the hidden document library for each site if there are quarantined files.

    • Moves files between the quarantine and site folders.

  • Microsoft Teams:

    • Adds the remote event receiver for new team sites.

    • Creates the hidden document library for each site if there are quarantined files.

    • Moves files between the quarantine and site folders.

  • The access or operation logs are updated for service accounts during scanning.

  • The LastLogonTime property is updated for each mailbox.

  • SharePoint/OneDrive notification files are created if Cloud App Security takes actions against certain files.

  • The access token for Microsoft Teams is refreshed every hour.

Deprovisioning

Stops daily synchronization with Office 365.

  • Exchange: Removes the quarantine folder.

  • SharePoint/OneDrive:

    • Removes the remote event receiver from each site collection.

    • Removes service accounts from each site collection's administrator group.

      Note:

      To remove service accounts from the administrator group, make sure that the service accounts have been promoted Global Administrator privileges during the provisioning.

    • Removes the quarantine document library.

  • Microsoft Teams:

    • Removes teams data.

    • Removes the access token obtained.

Note:

Cloud App Security recommends that you delete quarantine logs before deprovisioning.

Cloud App Security stops generating scheduled reports.

Manual cleanup

Removes service accounts from the Office 365 user list.

Microsoft Teams: none.

None.

  • Microsoft removes the SharePoint user profiles 30 days after service account removal.

  • Customers need to manually remove service account users from the SharePoint/OneDrive user list.

  • Customers need to manually remove the Cloud App Security notification files.

  • Microsoft Teams: none.

The following table lists all the actions that Cloud App Security performs in the Box, Dropbox and Google Drive environment and other changes made by Cloud App Security.

Stage

Cloud App Security Changes to Box/Dropbox/Google Drive

Other Changes

Provisioning

  • Uses OAuth 2.0 to obtain Box's, Dropbox's or Google Drive's access token.

  • Uses the access token to create the following folders:

    • Quarantine folder: trendmicro_cas_quarantine__dont_change_or_delete

    • Temporary folder: trendmicro_cas_temp__dont_change_or_delete

  • Shares the temporary folder with all users in the current organization.

Saves user and group information to the Cloud App Security database.

Service running

  • Synchronizes with Box, Dropbox and Google Drive daily to obtain information about new users and groups.

    Note:

    Cloud App Security synchronizes with Box, Dropbox and Google Drive at 03:32 a.m. UTC for both the U.S. and EU sites, and 06:32 p.m. UTC for both the Japan and the Australia and New Zealand sites.

  • If a file violates a policy that specifies the "Quarantine" action:

    1. Renames the file and moves it to the temporary folder.

    2. Moves the file to the quarantine folder.

    3. Replaces the file with a text file in the original path.

  • Updates the access or operation logs for service accounts during scanning.

  • Refreshes the access token every hour.

Note:

In addition, for Google Drive, Cloud App Security keeps subscribing to Google's event notifications every 5 hours.

Deprovisioning

  • Stops daily synchronization with Box, Dropbox or Google Drive.

  • Stops generating scheduled reports.

  • Stops running manual scans.

  • Removes administrator-set policies.

  • Removes user and group information.

  • Removes the access tokens obtained.

Manual cleanup

  • Removes the Cloud App Security application from Box or Dropbox admin console.

  • Removes the Cloud App Security application from Google admin console and from the admin's Google Account.

    Note:

    You can ignore this if you need to use the Gmail protection functionality.

  • Removes the quarantine folder and temporary folder.

  • Removes the replacement text files if necessary.

None.

The following table lists all the actions that Cloud App Security performs in the Gmail environment and other changes made by Cloud App Security.

Stage

Cloud App Security Changes to Gmail

Other Changes

Provisioning

Uses OAuth 2.0 to obtain Gmail's access token.

Saves user and group information to the Cloud App Security database.

Service running

  • Synchronizes with Gmail daily to obtain information about new users and groups.

    Note:

    Cloud App Security synchronizes with Gmail at 08:15 a.m. UTC for the U.S. site, 00:15 a.m. UTC for the EU site, and 04:15 p.m. UTC for both the Japan and the Australia and New Zealand sites.

  • If an email message violates a policy that specifies the "Label email" action: Creates a label called "Risky (by Trend Micro)" and labels the message.

  • Updates the access or operation logs for the service account during scanning.

  • Refreshes the access token every hour.

  • Cloud App Security refreshes the subscription to all mailboxes' event notifications during scheduled synchronization every day.

Deprovisioning

  • Stops daily synchronization with Gmail.

  • Stops generating scheduled reports.

  • Removes administrator-set policies.

  • Removes user and group information.

  • Removes the access token obtained.

Manual cleanup

Removes the Cloud App Security application from Google admin console and from the admin's Google Account.

Note:

You can ignore this if you need to use the Google Drive protection functionality.

None.

When your license is about to expire, Cloud App Security will send notifications to remind you. For details about license information, see License.

If your license has reached the end of the grace period, note the following:

  • Cloud App Security management console is no longer accessible.

  • Cloud App Security performs deprovisioning and does not protect your services any more.

  • Quarantined items cannot be restored or downloaded.