Protecting Multiple Service Provider Tenants with One CLP Account

A company may maintain more than one tenant of a cloud service such as Microsoft Office 365 or Box due to business needs, operations in multiple countries, or mergers and acquisitions. Managing multiple service provider tenants, for example, Microsoft Azure AD tenants or Salesforce orgs, can be challenging. It often results in an incomplete and inconsistent view of service data and users over the corporate network.

By introducing organization management, Cloud App Security enables you to use one single CLP account to manage and visualize the security posture across all your tenants' services, which could be done only by switching among multiple CLP accounts before.

Note:

This feature is also available for Trend Micro LMP customers.

If your corporate structure is complex or you implement multiple tenants of a single or several cloud services for your business needs, Trend Micro recommends you group all cloud services of the same sub-organization entity within one organization that you create on the management console.

The steps outlined below illustrate how to use this feature across the Cloud App Security management console.

  1. Log on to the Cloud App Security management console.

    A default organization is automatically created. If you do not need more organizations, you can provision and protect all your cloud services under this default organization.

  2. Add organizations if you decide to have more, for example, if you have two Azure AD tenants to manage.

    For more information, see Organization Management.

    A Current organization drop-down list with options including the default organization, the organizations you have created, and All organizations will appear on each of the main screens, except the Administration screen.

  3. Select an organization and provision service accounts for the cloud services you manage under this organization.
    Note:

    For more information, see Four Ways to Begin Provisioning.

    You can provision the service account for one tenant under only one organization. For example, after you provision the Exchange Online service account for Azure AD tenant A under one organization, you are not able to provision a service account for Azure AD tenant A again under another organization.

  4. Select an organization and configure Advanced Threat Protection and Data Loss Prevention policies for the services provisioned under this organization.
  5. View threat detection and policy enforcement data on the Dashboard, Logs, and Quarantine screen.

    You can view the data of each organization respectively by selecting an individual organization in the Current organization drop-down list or view the aggregated data by selecting All organizations.

    Note:

    If you set Current organization to All organizations, you cannot export the aggregated data on Dashboard or generate reports on Logs.

  6. Go to Administration and configure additional settings for specific or all available organizations.

    The following settings can be configured by organization: Automation and Integration APIs, Configuring Approved Exchange Online Users, and Administrator and Role.