Views:
The following table lists all the actions that Cloud App Security performs in the Microsoft 365 environment and other changes made by Cloud App Security.
Stage
Cloud App Security Changes to Microsoft 365
Other Changes
Microsoft 365 Admin Center
Exchange/SharePoint/OneDrive/Microsoft Teams
Granting access
Creates Cloud App Security service accounts for Microsoft 365 users.
  • Exchange: None.
  • SharePoint/OneDrive:
    • Adds a remote event receiver to each site collection.
    • Adds service accounts to each site collection's administrator group. (for granting access with a Delegate Account only)
    • Uses OAuth 2.0 to obtain SharePoint Online's or OneDrive' access token. (for granting access with an Authorized Account only)
  • Microsoft Teams:
    • Uses OAuth 2.0 to obtain Microsoft Teams' access token.
    • Adds a remote event receiver to each team site.
  • Teams Chat: Uses OAuth 2.0 to obtain Teams Chat's access token.
  • The SharePoint/OneDrive user list and user profiles are updated upon service account creation.
  • Exchange user information is updated upon service account creation.
  • The teams data is updated to the Cloud App Security database.
Service running
Synchronizes with Microsoft 365 daily to obtain information about new users, groups, SharePoint sites, and teams.
Note
Note
Cloud App Security synchronizes with Microsoft 365 at 00:15 a.m. UTC for both the EU and UK sites, 05:15 a.m. UTC for the Canada site, 08:15 a.m. UTC for the US site, 04:15 p.m. UTC for both the Japan and the Australia and New Zealand sites, 05:15 p.m. UTC for the Singapore site, and 00:15 p.m. UTC for the India site.
  • Exchange:
    • Creates hidden folders for mailboxes if there are quarantined files.
    • Moves files between the quarantine and user folders.
  • SharePoint/OneDrive:
    • Adds service accounts or the remote event receiver for new site collections.
    • Creates the hidden document library for each site if there are quarantined files.
    • Moves files between the quarantine and site folders.
  • Microsoft Teams:
    • Adds the remote event receiver for new team sites.
    • Creates the hidden document library for each site if there are quarantined files.
    • Moves files between the quarantine and site folders.
  • Teams Chat:
    • Subscribes to changes (create, update) to chat messages in the tenant.
    • Blocks chat message if needed.
  • The access or operation logs are updated for service accounts during scanning.
  • The LastLogonTime property is updated for each mailbox.
  • SharePoint/OneDrive notification files are created if Cloud App Security takes actions against certain files.
  • The access token for Microsoft Teams is refreshed every hour.
  • The access token for Teams Chat is refreshed every hour.
Revoking access
  • Stops daily synchronization with Microsoft 365.
  • Stops generating scheduled reports.
  • Exchange: Removes the quarantine folder.
  • SharePoint/OneDrive:
    • Removes the remote event receiver from each site collection. (for granting access with a Delegate Account only)
    • Removes service accounts from each site collection's administrator group. (for granting access with a Delegate Account only)
      Note
      Note
      To remove service accounts from the administrator group, make sure that the service accounts have been promoted Global Administrator privileges during the access grant.
    • Removes the access token obtained. (for granting access with an Authorized Account only)
    • Removes the quarantine document library.
  • Microsoft Teams:
    • Removes teams data.
    • Removes the access token obtained.
  • Teams Chat: Removes the access token obtained.
Note
Note
Cloud App Security recommends that you delete quarantine logs before revoking access.
None.
Manual cleanup
  • Removes service accounts from the Microsoft 365 user list.
  • Removes the Cloud App Security Add-in.
None.
  • Microsoft removes the SharePoint user profiles 30 days after service account removal.
  • Customers need to manually remove service account users from the SharePoint/OneDrive user list.
  • Microsoft Teams: none.
  • Teams Chat: none.
The following table lists all the actions that Cloud App Security performs in the Box, Dropbox and Google Drive environment and other changes made by Cloud App Security.
Stage
Cloud App Security Changes to Box/Dropbox/Google Drive
Other Changes
Granting access
  • Uses OAuth 2.0 to obtain Box's, Dropbox's or Google Drive's access token.
  • Uses the access token to create the following folders:
    • Quarantine folder: trendmicro_cas_quarantine__dont_change_or_delete
    • Temporary folder: trendmicro_cas_temp__dont_change_or_delete
  • Shares the temporary folder with all users in the current organization.
Saves user and group information to the Cloud App Security database.
Service running
  • Synchronizes with Box, Dropbox and Google Drive daily to obtain information about new users and groups.
    Note
    Note
    Cloud App Security synchronizes with Box, Dropbox and Google Drive at 03:32 a.m. UTC for both the EU and UK sites, 07:32 a.m. UTC for the Canada site, 10:32 a.m. UTC for the US site, 06:32 p.m. UTC for both the Japan and the Australia and New Zealand sites, 07:32 p.m. UTC for the Singapore site, and 02:32 p.m. UTC for the India site.
  • If a file violates a policy that specifies the "Quarantine" action:
    1. Renames the file and moves it to the temporary folder.
    2. Moves the file to the quarantine folder.
    3. Replaces the file with a text file in the original path.
  • Updates the access or operation logs for service accounts during scanning.
  • Refreshes the access token every hour.
Note
Note
In addition, for Google Drive, Cloud App Security keeps subscribing to Google's event notifications every 5 hours.
Revoking access
  • Stops daily synchronization with Box, Dropbox or Google Drive.
  • Stops generating scheduled reports.
  • Stops running manual scans.
  • Removes administrator-set policies.
  • Removes user and group information.
  • Removes the access tokens obtained.
Manual cleanup
  • Removes the Cloud App Security application from the Box or Dropbox admin console.
  • Removes the Cloud App Security application from the Google Workspace admin console and from the admin's Google Account.
    Note
    Note
    You can ignore this if you need to use the Gmail or Gmail (Inline Mode) service account for protection.
  • Removes the quarantine folder and temporary folder.
  • Removes the replacement text files if necessary.
None.
The following table lists all the actions that Cloud App Security performs in the Gmail environment and other changes made by Cloud App Security.
Stage
Cloud App Security Changes to Gmail
Other Changes
Granting access
Uses OAuth 2.0 to obtain Gmail's access token.
Saves user and group information to the Cloud App Security database.
Service running
  • Synchronizes with Gmail daily to obtain information about new users and groups.
    Note
    Note
    Cloud App Security synchronizes with Gmail at 00:15 a.m. UTC for both the EU and UK sites, 05:15 a.m. UTC for the Canada site, 08:15 a.m. UTC for the US site, 04:15 p.m. UTC for both the Japan and the Australia and New Zealand sites, 05:15 p.m. UTC for the Singapore site, and 00:15 p.m. UTC for the India site.
  • If an email message violates a policy that specifies the "Label email" action: Creates a label called "Risky (by Trend Micro)" and labels the message.
  • Updates the access or operation logs for the service account during scanning.
  • Refreshes the access token every hour.
  • Cloud App Security refreshes the subscription to all mailboxes' event notifications during scheduled synchronization every day.
Revoking access
  • Stops daily synchronization with Gmail.
  • Stops generating scheduled reports.
  • Removes administrator-set policies.
  • Removes user and group information.
  • Removes the access token obtained.
Manual cleanup
Removes the Cloud App Security application from the Google Workspace admin console and from the admin's Google Account.
Note
Note
You can ignore this if you need to use the Google Drive or Gmail (Inline Mode) service account for protection.
None.
The following table lists all the actions that Cloud App Security performs in the Salesforce environment and other changes made by Cloud App Security.
Stage
Cloud App Security Changes to Salesforce
Other Changes
Granting access
  • Adds the Cloud App Security application from AppExchange.
  • Adds a remote site setting to receive events.
  • Adds Apex triggers to generate events.
  • Uses OAuth 2.0 to obtain Salesforce's access token.
  • Adds custom settings to verify event integrity.
The Salesforce objects list and profiles are updated upon service account creation.
Service running
Synchronizes with Gmail daily to obtain information about new objects and profiles.
Note
Note
Cloud App Security synchronizes with Salesforce at 03:32 a.m. UTC for both the EU and UK sites, 07:32 a.m. UTC for the Canada site, 10:32 a.m. UTC for the US site, 06:32 p.m. UTC for both the Japan and the Australia and New Zealand sites, 07:32 p.m. UTC for the Singapore site, and 02:32 p.m. UTC for the India site.
  • Updates the access or operation logs for the service account during scanning.
  • Refreshes the access token every hour.
Revoking access
  • Stops daily synchronization with Salesforce.
  • Stops generating scheduled reports.
  • Removes the remote site setting.
  • Removes the Apex triggers.
  • Removes the access token obtained.
  • Removes the custom settings.
Manual cleanup
Removes the Cloud App Security application from the Salesforce admin console.
None.
If your license has reached the end of the grace period, note the following:
  • Cloud App Security management console is no longer accessible.
  • Cloud App Security performs access revoking and does not protect your applications or services any more.
  • Quarantined items cannot be restored or downloaded.