Real-Time and On-Demand Scanning

Cloud App Security searches for security risks and undesirable data by scanning messages and their attached files in email services and files stored in other cloud applications.

Cloud App Security performs real-time scans and on-demand (manual) scans. When Cloud App Security detects malicious or undesirable content, Cloud App Security automatically takes action against the email message or file according to scanning rules. Configure policies to scan specific targets and then take certain action or send a notification based on the security risk.

By default, Cloud App Security scans all possible email messages and files in the services it protects. Scannable files include any file that is not encrypted, password protected, or exceeds user-configured scanning restrictions.

Real-time scanning and on-demand scanning apply to Advanced Threat Protection policies and Data Loss Prevention policies.

Real-Time Scan

Cloud App Security scans the following in real time:

  • For email services, scanning occurs when an email message arrives at a protected mailbox.

  • For the other cloud applications, scanning occurs when a user uploads, creates, synchronizes, or modifies a file.

Manual Scan

Cloud App Security provides two manual scan types:

  • Scan and protect: Analyzes email messages or files, and takes action upon detecting any violation triggering the selected policy.

  • Scan only: Analyzes email messages or files, logs the analysis, and delivers the messages or files to users without taking any action configured in the selected policy. This helps evaluate the Cloud App Security performance with zero impact on mail flow and file sharing.


    This scan type applies to Office 365 services (excluding Microsoft Teams) and Gmail only.

Run a manual scan to ensure that Cloud App Security scans all messages and files. Completely scanning cloud applications in this way minimizes the risk of advanced threats or data protection violations. A manual scan affects all users, groups and sites; however optionally configure Cloud App Security to scan specific targets, as needed.

Cloud App Security generates and sends a comprehensive report after a manual scan to specified users, consolidating the scan results and displaying detailed information.

Manual scan requirements:

  • For a full license, run a manual scan on up to 31 days of data.


    A trial license supports a manual scan only on one day of data, and a manual scan covers 25 mailboxes, 5 SharePoint sites, or 5 cloud application service accounts.

  • Run only one manual scan for one kind of policy at a time.

    For example, you can perform a manual scan for Exchange Data Loss Prevention policies and SharePoint Online Data Loss Prevention policies at the same time. You cannot simultaneously perform two manual scans for Exchange Data Loss Prevention policies.