To protect users from advanced threats and to prevent data loss, Cloud App Security searches for security risks and undesirable data sent through email services, or saved in cloud storage applications by performing real-time scanning on files in supported cloud applications and services, including Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, Box, Dropbox, Google Drive, and Gmail.
Cloud App Security starts scanning when an email message arrives at or is sent from a protected mailbox, a file is saved to a cloud storage application or shared to a Microsoft Teams channel, or a private Teams chat message is sent. This unique API-based architecture guarantees that Cloud App Security has "zero impact" on your email or chat message delivery or file sharing as well as commitments defined in your service level agreements.
In addition to API-based Protection, Cloud App Security also provides the option of Inline Protection for email services to block security risks before they can affect your organization. For details, see Protection Modes for Email Services.
After you grant Cloud App Security access to a cloud application or service, Cloud App Security scans the content in the application or service based on your enabled policies. Cloud App Security provides default policies and allows you to create new policies. Upon detecting malicious or undesirable content, Cloud App Security automatically takes action against the email, file, or chat message based on the scanning result.
The following illustrates how Cloud App Security works.