How Cloud App Security Works

To protect users from advanced threats and to prevent data loss, Cloud App Security searches for security risks and undesirable data sent through email services, or saved in cloud storage applications by performing real-time scanning on files in supported cloud applications and services, including Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, Box, Dropbox, Google Drive, and Gmail.

Cloud App Security starts scanning when an email message arrives at a protected mailbox, a file is saved to a cloud storage application, or a private Teams chat message is sent. This unique API-based architecture guarantees that Cloud App Security has "zero impact" on your email or chat message delivery or file sharing as well as commitments defined in your service level agreements.

For Exchange Online, Cloud App Security also provides the option of Inline Protection, which routes messages to Cloud App Security for scanning before they enter destination mailboxes or are delivered to recipients. This solution enables you to block threats before they can reach your users' mailbox and prevent data leakage before it actually takes place.


Inline Protection for Exchange Online requires the Cloud App Security for Email add-on license.

After you provision for a cloud application or service, Cloud App Security scans the content in the application or service based on your enabled policies. Cloud App Security provides default policies and allows you to create new policies. Upon detecting malicious or undesirable content, Cloud App Security automatically takes action against the email, file, or chat message based on the scanning result.

The following illustrates how Cloud App Security works.